Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Got a virus, can't get rid of it! hijack posted [RESOLVED]


  • This topic is locked This topic is locked

#1
timzerofive

timzerofive

    Member

  • Member
  • PipPip
  • 46 posts
Downloaded a file that seems to contain a backdoor trojan. Tried different things but it is still present. Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51: VIRUS ALERT!, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\PSIService.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\vebcnqbm.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O3 - Toolbar: nqgpedlr - {0BE5A488-6C2A-45F3-A464-DEC2E7575253} - C:\WINDOWS\nqgpedlr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [30ff45b6] rundll32.exe "C:\WINDOWS\system32\dqwahuho.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [moptfjwk] C:\WINDOWS\system32\vebcnqbm.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [gPXl2pDLGo] C:\Documents and Settings\All Users\Application Data\zmnyxwnk\zwpmvkdw.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: axrfgvek - {5BDAFE5D-CF64-446A-819B-139AF92A411C} - C:\WINDOWS\axrfgvek.dll
O21 - SSODL: okmdepgb - {2A81E282-CE36-49A4-A592-0BDFA7597AB0} - C:\WINDOWS\okmdepgb.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SnVsaWEgV2FuZw\command.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11846 bytes
  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

I'm looking over your log and will be back with you soon.
  • 0

#3
timzerofive

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hey, thanks for the fast reply.
  • 0

#4
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi again,

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from [url="http://subs.geekstogo.com/ComboFix.exe""]here[/url] or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.
  • 0

#5
timzerofive

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi, quick question. I'm scrambling around trying to find my windows vista disk but cannot find it. Is there an alternative to getting the recovery console without the disk?
  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
In the guide I linked to you it gives you two ways to install the RC, one through the CD the other through combofix, try doing it through combofix.
  • 0

#7
timzerofive

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I'm at this stage for about 20 minutes already. There is a pop up that says "Registry Editor - Registry editing has been disabled by your administrator." Should I keep waiting?
Posted Image
  • 0

#8
timzerofive

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I haven't clicked on the Combofix window so I don't think it stalled. There is a curson flashing right under the line "Do not run any programs..."
  • 0

#9
timzerofive

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Here is the combo Log


ComboFix 08-07-04.6 - Lawrence Wang 2008-07-05 13:39:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.488 [GMT -7:00]
Running from: C:\Documents and Settings\Lawrence Wang\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lawrence Wang\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lawrence Wang\Favorites\Error Cleaner.url
C:\Documents and Settings\Lawrence Wang\Favorites\Privacy Protector.url
C:\Documents and Settings\Lawrence Wang\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\megavid.cdt
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\SnVsaWEgV2FuZw\
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\blphcgh3j0evfp.scr
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\system32\fcccdbcc.dll
C:\WINDOWS\system32\geBroopp.dll
C:\WINDOWS\system32\[email protected]@@k.dll
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\kmmfejqd.ini
C:\WINDOWS\system32\medup012.dll
C:\WINDOWS\system32\medup020.dll
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\ohuhawqd.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppoorBeg.ini
C:\WINDOWS\system32\ppoorBeg.ini2
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_MsSecurity1.209.4
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-05 13:54 . 2008-07-05 13:54 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\TmpRecentIcons
2008-07-05 11:37 . 2008-07-05 11:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 19:15 . 2008-07-04 19:15 89,088 --a------ C:\WINDOWS\system32\dqwahuho.dll
2008-07-04 18:09 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-07-04 18:09 . 2008-07-04 18:09 376 --a------ C:\WINDOWS\ODBC.INI
2008-07-04 18:08 . 2008-07-04 18:08 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-07-04 18:06 . 2008-07-04 18:06 <DIR> dr-h----- C:\MSOCache
2008-07-04 16:33 . 2008-07-04 16:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-04 16:19 . 2008-07-04 16:29 401 --a------ C:\WINDOWS\wininit.ini
2008-07-04 16:06 . 2008-07-04 16:06 89,088 --a------ C:\WINDOWS\system32\dqjefmmk.dll
2008-07-04 15:34 . 2008-07-04 15:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-04 15:34 . 2008-07-04 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 15:32 . 2008-07-04 15:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 15:10 . 2008-07-04 19:02 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-04 15:06 . 2008-07-04 16:07 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-04 15:06 . 2008-07-04 15:06 <DIR> d-------- C:\Program Files\AVG
2008-07-04 15:06 . 2008-07-04 16:19 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\AVGTOOLBAR
2008-07-04 15:06 . 2008-07-04 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-04 15:06 . 2008-07-04 16:15 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 15:06 . 2008-07-04 16:16 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-04 15:06 . 2008-07-04 15:06 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-07-04 15:06 . 2008-07-04 16:15 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-04 14:34 . 2008-07-04 16:13 <DIR> d-------- C:\WINDOWS\system32\netrax06
2008-07-04 14:34 . 2008-07-04 16:12 <DIR> d-------- C:\WINDOWS\system32\eb10
2008-07-04 14:34 . 2008-07-04 15:52 <DIR> d-------- C:\WINDOWS\system32\bgi
2008-07-04 14:34 . 2008-07-04 16:11 <DIR> d-------- C:\WINDOWS\system32\axc
2008-07-04 14:34 . 2008-07-04 15:52 <DIR> d-------- C:\WINDOWS\system32\1049a
2008-07-04 14:34 . 2008-07-04 14:34 <DIR> d-------- C:\Temp\itmp4
2008-07-04 14:34 . 2008-07-05 13:39 <DIR> d-------- C:\Temp
2008-07-04 14:33 . 2008-07-04 10:08 307,200 --a------ C:\WINDOWS\kgqfwelteax.dll
2008-07-04 14:33 . 2008-07-04 10:08 229,376 --a------ C:\WINDOWS\okmdepgb.dll
2008-07-04 14:33 . 2008-07-04 10:08 180,224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-04 14:33 . 2008-07-04 10:08 155,648 --a------ C:\WINDOWS\nqgpedlr.dll
2008-07-04 14:33 . 2008-07-04 14:33 94,208 --a------ C:\WINDOWS\system32\vebcnqbm.exe
2008-07-04 14:33 . 2008-07-04 14:33 63,909 --a------ C:\WINDOWS\system32\{0b1672fc-5caf-8767-cabe-817b9b4b9333}.dll-uninst.exe
2008-07-04 00:06 . 2008-07-04 00:06 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-06-29 13:03 . 2008-06-29 13:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-29 13:03 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-29 13:03 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-29 13:03 . 2008-05-08 05:28 202,752 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-29 13:02 . 2006-08-21 02:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-06-29 13:02 . 2006-08-21 02:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-06-29 13:02 . 2006-08-21 05:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-06-19 19:09 . 2008-06-19 19:25 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\ppstream
2008-06-18 21:25 . 2008-06-18 21:25 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-16 23:16 . 2008-07-04 16:23 65,404 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-16 22:59 . 2008-07-04 18:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 22:54 . 2008-06-16 22:54 <DIR> d-------- C:\WINDOWS\Sun
2008-06-16 22:48 . 2008-06-16 22:48 <DIR> d-------- C:\Program Files\uTorrent
2008-06-16 22:48 . 2008-07-04 16:13 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\uTorrent
2008-06-16 22:24 . 2008-06-16 22:25 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\Corel
2008-06-16 22:24 . 2008-06-16 22:24 2,828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-16 22:24 . 2008-06-16 22:24 88 -rahs---- C:\WINDOWS\system32\09E831A509.sys
2008-06-16 22:11 . 2008-06-16 22:11 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\Apple Computer
2008-06-16 22:10 . 2008-06-16 22:10 <DIR> d-------- C:\Program Files\Safari
2008-06-16 22:09 . 2008-06-16 22:10 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-16 22:09 . 2008-06-16 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-16 22:01 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 21:58 . 2008-07-04 01:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-16 21:53 . 2008-06-16 22:39 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 01:43 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-05 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-07-05 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Borland
2008-07-04 21:41 --------- d-----w C:\Program Files\PCDR5
2008-07-04 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-29 06:07 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-29 04:18 --------- d-----w C:\Program Files\Google
2008-06-17 05:59 --------- d-----w C:\Program Files\Picasa2
2008-06-17 05:25 --------- d-----w C:\Program Files\Corel
2008-06-17 05:01 --------- d-----w C:\Program Files\Java
2008-05-29 05:43 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Ahead
2008-05-29 05:42 --------- d-----w C:\Program Files\Nero
2008-05-29 05:42 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-28 20:55 --------- d-----w C:\Program Files\DAEMON Tools
2008-05-28 20:36 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-28 19:42 --------- d-----w C:\Program Files\Prime95
2008-05-25 04:29 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Sonic
2008-05-25 04:29 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Leadertech
2008-05-19 04:04 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Lenovo
2008-05-19 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lenovo
2008-05-19 01:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lenovo
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-11 20:25 50 ----a-w C:\WINDOWS\system32\drivers\LENOVO_0769_AUU.MRK
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-17 19:11 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-04-17 18:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF65EEF6-EF1A-4AE7-9F31-D793EC488AAB}]
2008-07-04 10:08 307200 --a------ C:\WINDOWS\kgqfwelteax.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0BE5A488-6C2A-45F3-A464-DEC2E7575253}"= "C:\WINDOWS\nqgpedlr.dll" [2008-07-04 10:08 155648]

[HKEY_CLASSES_ROOT\clsid\{0be5a488-6c2a-45f3-a464-dec2e7575253}]
[HKEY_CLASSES_ROOT\nqgpedlr.1]
[HKEY_CLASSES_ROOT\TypeLib\{2215D134-8228-4561-80FC-CCA78387ED76}]
[HKEY_CLASSES_ROOT\nqgpedlr]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"NoDispCPL"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)
"NoSetFolders"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"axrfgvek"= {5BDAFE5D-CF64-446A-819B-139AF92A411C} - C:\WINDOWS\axrfgvek.dll [2008-07-04 10:08 180224]
"okmdepgb"= {2A81E282-CE36-49A4-A592-0BDFA7597AB0} - C:\WINDOWS\okmdepgb.dll [2008-07-04 10:08 229376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-05-31 13:57 155648 C:\WINDOWS\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-13 19:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Lawrence Wang^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Lawrence Wang\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup
=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\30ff45b6]
--a------ 2008-07-04 16:06 89088 C:\WINDOWS\system32\dqjefmmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
--a------ 2007-05-31 13:07 946176 C:\Program Files\Lenovo Fingerprint Software\fpapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 09:27]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 16:15]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 11:24]
R1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys [2006-05-24 11:48]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 15:06]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 15:06]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 16:16]
R2 FNF5SVC;Fn+F5 Service;C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe [2007-04-08 18:24]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 13:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2007-05-22 15:59]
S1 MSPQMM;MSPQMM;C:\WINDOWS\system32\drivers\MSPQMM.sys []
S3 FingerprintServer;Fingerprint Server;C:\WINDOWS\system32\FpLogonServ.exe [2007-06-22 11:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebd41f4e-2546-11dd-adb6-001eec08d55b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
- - - - ORPHANS REMOVED - - - -

BHO-{1421B799-C4AA-4F81-89D9-01E1FBFA29FE} - C:\WINDOWS\system32\geBroopp.dll
BHO-{AE99EB12-A2D7-42D7-8BC2-754431199E2F} - C:\WINDOWS\system32\fcccdbcc.dll
HKLM-Explorer_Run-gPXl2pDLGo - C:\Documents and Settings\All Users\Application Data\zmnyxwnk\zwpmvkdw.exe
ShellExecuteHooks-{AE99EB12-A2D7-42D7-8BC2-754431199E2F} - C:\WINDOWS\system32\fcccdbcc.dll
MSConfigStartUp-Microsoft Windows Installer - C:\Documents and Settings\Lawrence Wang\Application Data\Microsoft\dtsc\14783.exe
MSConfigStartUp-{F4-45-51-19-DW} - C:\windows\system32\rwwnw64d.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 13:54:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\ohuhawqd.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\dqwahuho.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.EXE
C:\Program Files\Common Files\Installshield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\vebcnqbm.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\mmc.exe
.
**************************************************************************
.
Completion time: 2008-07-05 14:59:57 - machine was rebooted [Lawrence Wang]
ComboFix-quarantined-files.txt 2008-07-05 21:59:50

Pre-Run: 96,475,336,704 bytes free
Post-Run: 97,725,919,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

349 --- E O F --- 2008-07-03 07:05:42
  • 0

#10
timzerofive

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
New Hijiack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51: VIRUS ALERT!, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\PSIService.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\vebcnqbm.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O3 - Toolbar: nqgpedlr - {0BE5A488-6C2A-45F3-A464-DEC2E7575253} - C:\WINDOWS\nqgpedlr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [30ff45b6] rundll32.exe "C:\WINDOWS\system32\dqwahuho.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [moptfjwk] C:\WINDOWS\system32\vebcnqbm.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKLM\..\Policies\Explorer\Run: [gPXl2pDLGo] C:\Documents and Settings\All Users\Application Data\zmnyxwnk\zwpmvkdw.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: axrfgvek - {5BDAFE5D-CF64-446A-819B-139AF92A411C} - C:\WINDOWS\axrfgvek.dll
O21 - SSODL: okmdepgb - {2A81E282-CE36-49A4-A592-0BDFA7597AB0} - C:\WINDOWS\okmdepgb.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SnVsaWEgV2FuZw\command.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11846 bytes
  • 0

Advertisements


#11
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there its about midnight over here, I will post back tommorow.

Your computer is heavily infected, please wait until I post back before running any tools.

Thanks,

Mike
  • 0

#12
timzerofive

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
uh oh. Alright, thanks a lot.
  • 0

#13
timzerofive

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
If someone else got an idea and could jump in earlier, that would be great as well. Thanks.
  • 0

#14
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
I got to you within 5 minute of you posting your thread while many others wait 3 days or more before receiving a reply,
it would be nice if you could have a little patience please.

Also I noticed that you abandoned your old thread in 07, if possible, please post back with results this time around.

Please go to Uploadmalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\kgqfwelteax.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
You may need to show hidden files, which you can do by following the instructions found here.

and,
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\kgqfwelteax.dll
  • Click on the submit button
  • Please post the results in your next reply.
Now,

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
http://www.geekstogo.com/forum/virus-cant-get-rid-it-hijack-posted-t204091.html&gopid=1278003#entry1278003

Collect::[4]
C:\WINDOWS\system32\dqwahuho.dll
C:\WINDOWS\system32\dqjefmmk.dll
C:\WINDOWS\okmdepgb.dll
C:\WINDOWS\axrfgvek.dll
C:\WINDOWS\nqgpedlr.dll
C:\WINDOWS\system32\vebcnqbm.exe
C:\WINDOWS\nqgpedlr.dll

Folder::
C:\WINDOWS\system32\netrax06
C:\WINDOWS\system32\eb10
C:\WINDOWS\system32\bgi
C:\WINDOWS\system32\axc
C:\WINDOWS\system32\1049a
C:\Temp\itmp4

File::
C:\WINDOWS\kgqfwelteax.dll
C:\WINDOWS\system32\{0b1672fc-5caf-8767-cabe-817b9b4b9333}.dll-uninst.exe
C:\WINDOWS\system32\ohuhawqd.ini
C:\Documents and Settings\Lawrence Wang\Start Menu\Programs\Startup\DW_Start.lnk

Driver::
MSPQMM

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF65EEF6-EF1A-4AE7-9F31-D793EC488AAB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0BE5A488-6C2A-45F3-A464-DEC2E7575253}"=-
[-HKEY_CLASSES_ROOT\clsid\{0be5a488-6c2a-45f3-a464-dec2e7575253}]
[-HKEY_CLASSES_ROOT\nqgpedlr.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2215D134-8228-4561-80FC-CCA78387ED76}]
[-HKEY_CLASSES_ROOT\nqgpedlr]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"NoDispCPL"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=-
"StartMenuLogoff"=-
"NoStartMenuMorePrograms"=-
"NoSetFolders"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"axrfgvek"=-
"okmdepgb"=-
[-HKLM\~\startupfolder\C:^Documents and Settings^Lawrence Wang^Start Menu^Programs^Startup^DW_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\30ff45b6]
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

And finally,


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Post back with the logs please.

Edited by Mike, 06 July 2008 - 05:38 AM.

  • 0

#15
timzerofive

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hey I'm really appreciative of your help. I was just seeing if there were anyone available due to the fact that I'm posting this for my father's laptop while I visited my parents. I was hoping to not have to come back again today to finish it up thats why. Same goes for my 07 post, it was posting for a friend's comp, so she did not go back on to post result. I will definitely follow up on this one.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP