Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Got a virus, can't get rid of it! hijack posted [RESOLVED]

Started by timzerofive , Jul 05 2008 12:54 PM

  • This topic is locked This topic is locked

#16
timzerofive
Posted 06 July 2008 - 11:49 AM

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
File has been uploaded to Uploadmalware as instructed.
Below is the scann result from Online Malware Scan:

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: kgqfwelteax.dll
Status: INFECTED/MALWARE
MD5: cb83899a0ebdb6991169b24839ea5d14
Packers detected: -

Scanner results
Scan taken on 06 Jul 2008 17:44:54 (GMT)
A-Squared Found nothing
AntiVir Found ADSPY/AdSpy.Gen
ArcaVir Found nothing
Avast Found Win32:Vapsup-EB
AVG Antivirus Found Downloader.Zlob.ZEY
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Virus.Win32.Vapsup.EB
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/Emogen-AC
VirusBuster Found nothing
VBA32 Found Downloader.Zlob.8 (probable variant)

Combofix is currently running with the new CFScrpt.txt.
  • 0

Advertisements

#17
Mike
Posted 06 July 2008 - 11:51 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
I misunderstood then and I apologize,

There is no rush to do the fixes, take your time and post back when ready.

:)

Mike

Edit: we cross posted, I'll wait on the Combofix log - thanks for uploading the file, it's relatively new and this will give the antivirus vendors a sample so that they can add them to their definitions.

Edited by Mike, 06 July 2008 - 11:54 AM.

  • 0

#18
timzerofive
Posted 06 July 2008 - 12:01 PM

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
No worries Mike, again, appreciate your help.
New ComboFix Log

ComboFix 08-07-04.6 - Lawrence Wang 2008-07-06 10:49:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.536 [GMT -7:00]
Running from: C:\Documents and Settings\Lawrence Wang\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lawrence Wang\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Lawrence Wang\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\kgqfwelteax.dll
C:\WINDOWS\system32\{0b1672fc-5caf-8767-cabe-817b9b4b9333}.dll-uninst.exe
C:\WINDOWS\system32\ohuhawqd.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lawrence Wang\Desktop\Error Cleaner.url
C:\Documents and Settings\Lawrence Wang\Desktop\Privacy Protector.url
C:\Documents and Settings\Lawrence Wang\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Lawrence Wang\Favorites\Error Cleaner.url
C:\Documents and Settings\Lawrence Wang\Favorites\Privacy Protector.url
C:\Documents and Settings\Lawrence Wang\Favorites\Spyware&Malware Protection.url
C:\Temp\itmp4
C:\Temp\itmp4\mkbv4i.log
C:\WINDOWS\axrfgvek.dll
C:\WINDOWS\kgqfwelteax.dll
C:\WINDOWS\nqgpedlr.dll
C:\WINDOWS\okmdepgb.dll
C:\WINDOWS\system32\{0b1672fc-5caf-8767-cabe-817b9b4b9333}.dll-uninst.exe
C:\WINDOWS\system32\1049a
C:\WINDOWS\system32\axc
C:\WINDOWS\system32\bgi
C:\WINDOWS\system32\dqjefmmk.dll
C:\WINDOWS\system32\dqwahuho.dll
C:\WINDOWS\system32\eb10
C:\WINDOWS\system32\netrax06
C:\WINDOWS\system32\ohuhawqd.ini
C:\WINDOWS\system32\vebcnqbm.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSPQMM
-------\Service_MSPQMM


((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-05 11:37 . 2008-07-05 11:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 18:09 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-07-04 18:09 . 2008-07-04 18:09 376 --a------ C:\WINDOWS\ODBC.INI
2008-07-04 18:08 . 2008-07-04 18:08 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-07-04 18:06 . 2008-07-04 18:06 <DIR> dr-h----- C:\MSOCache
2008-07-04 16:33 . 2008-07-04 16:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-04 16:19 . 2008-07-04 16:29 401 --a------ C:\WINDOWS\wininit.ini
2008-07-04 15:34 . 2008-07-04 15:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-04 15:34 . 2008-07-04 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 15:32 . 2008-07-04 15:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 15:10 . 2008-07-04 19:02 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-04 15:06 . 2008-07-04 16:07 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-04 15:06 . 2008-07-04 15:06 <DIR> d-------- C:\Program Files\AVG
2008-07-04 15:06 . 2008-07-04 16:19 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\AVGTOOLBAR
2008-07-04 15:06 . 2008-07-04 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-04 15:06 . 2008-07-04 16:15 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 15:06 . 2008-07-04 16:16 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-04 15:06 . 2008-07-04 15:06 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-07-04 15:06 . 2008-07-04 16:15 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-04 14:34 . 2008-07-06 10:49 <DIR> d-------- C:\Temp
2008-07-04 00:06 . 2008-07-04 00:06 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-06-29 13:03 . 2008-06-29 13:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-29 13:03 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-29 13:03 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-29 13:03 . 2008-05-08 05:28 202,752 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-29 13:02 . 2006-08-21 02:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-06-29 13:02 . 2006-08-21 02:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-06-29 13:02 . 2006-08-21 05:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-06-19 19:09 . 2008-06-19 19:25 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\ppstream
2008-06-18 21:25 . 2008-06-18 21:25 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-16 23:16 . 2008-07-04 16:23 65,404 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-16 22:59 . 2008-07-04 18:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 22:54 . 2008-06-16 22:54 <DIR> d-------- C:\WINDOWS\Sun
2008-06-16 22:48 . 2008-06-16 22:48 <DIR> d-------- C:\Program Files\uTorrent
2008-06-16 22:48 . 2008-07-04 16:13 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\uTorrent
2008-06-16 22:24 . 2008-06-16 22:25 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\Corel
2008-06-16 22:24 . 2008-06-16 22:24 2,828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-16 22:24 . 2008-06-16 22:24 88 -rahs---- C:\WINDOWS\system32\09E831A509.sys
2008-06-16 22:11 . 2008-06-16 22:11 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\Apple Computer
2008-06-16 22:10 . 2008-06-16 22:10 <DIR> d-------- C:\Program Files\Safari
2008-06-16 22:09 . 2008-06-16 22:10 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-16 22:09 . 2008-06-16 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-16 22:01 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 21:58 . 2008-07-04 01:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-16 21:53 . 2008-06-16 22:39 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 01:43 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-05 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-07-05 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Borland
2008-07-04 21:41 --------- d-----w C:\Program Files\PCDR5
2008-07-04 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-29 06:07 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-29 04:18 --------- d-----w C:\Program Files\Google
2008-06-17 05:59 --------- d-----w C:\Program Files\Picasa2
2008-06-17 05:25 --------- d-----w C:\Program Files\Corel
2008-06-17 05:01 --------- d-----w C:\Program Files\Java
2008-05-29 05:43 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Ahead
2008-05-29 05:42 --------- d-----w C:\Program Files\Nero
2008-05-29 05:42 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-28 20:55 --------- d-----w C:\Program Files\DAEMON Tools
2008-05-28 20:36 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-28 19:42 --------- d-----w C:\Program Files\Prime95
2008-05-25 04:29 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Sonic
2008-05-25 04:29 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Leadertech
2008-05-19 04:04 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Lenovo
2008-05-19 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lenovo
2008-05-19 01:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lenovo
2008-05-11 20:25 50 ----a-w C:\WINDOWS\system32\drivers\LENOVO_0769_AUU.MRK
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-17 18:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-05_13.57.24.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-05 18:34:33 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-06 17:42:47 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-05 18:34:33 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-06 17:42:47 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-06 17:52:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_408.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1421B799-C4AA-4F81-89D9-01E1FBFA29FE}]
C:\WINDOWS\system32\geBroopp.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE99EB12-A2D7-42D7-8BC2-754431199E2F}]
C:\WINDOWS\system32\fcccdbcc.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 21:58 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 13:19 536576]
"TPWAUDAP"="C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-09-06 00:38 54824]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 11:03 58416]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-18 22:51 774233]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PMHandler"="C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe" [2007-03-16 05:26 31840]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-23 00:32 138008]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 15:42 321088]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"LPManager"="C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 10:10 120368]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00 44032]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-23 00:32 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-23 00:32 162584]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 16:24 196696]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 16:35 2630968]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-10-12 00:28 1282048]
"AzMixerSel"="C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2007-08-23 00:36 53248]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 03:51 91688]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 15:06 1177368]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 11:00 439856]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 14:51 126976]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 14:58 413696]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 00:21 16384000 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 00:40 89542 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{AE99EB12-A2D7-42D7-8BC2-754431199E2F}"= "C:\WINDOWS\system32\fcccdbcc.dll" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-05-31 13:57 155648 C:\WINDOWS\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-13 19:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
--a------ 2007-05-31 13:07 946176 C:\Program Files\Lenovo Fingerprint Software\fpapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 09:27]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 16:15]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 11:24]
R1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys [2006-05-24 11:48]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 15:06]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 15:06]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 16:16]
R2 FNF5SVC;Fn+F5 Service;C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe [2007-04-08 18:24]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 13:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2007-05-22 15:59]
S3 FingerprintServer;Fingerprint Server;C:\WINDOWS\system32\FpLogonServ.exe [2007-06-22 11:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebd41f4e-2546-11dd-adb6-001eec08d55b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-moptfjwk - C:\WINDOWS\system32\vebcnqbm.exe
HKLM-Run-30ff45b6 - C:\WINDOWS\system32\dqwahuho.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 10:53:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-07-06 10:56:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-06 17:56:07
ComboFix2.txt 2008-07-05 21:59:58

Pre-Run: 97,726,054,400 bytes free
Post-Run: 97,710,039,040 bytes free

256 --- E O F --- 2008-07-03 07:05:42

Edited by timzerofive, 06 July 2008 - 12:02 PM.

  • 0

#19
timzerofive
Posted 06 July 2008 - 12:20 PM

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Malware Log

Malwarebytes' Anti-Malware 1.19
Database version: 927
Windows 5.1.2600 Service Pack 2

11:11:40 AM 7/6/2008
mbam-log-7-6-2008 (11-11-40).txt

Scan type: Quick Scan
Objects scanned: 40206
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{19081814-e377-4e28-bc7f-7515319dd069} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7eb42f29-bd4f-42ab-9806-95f22c1359eb} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ad495cb3-59ad-4ebe-b135-246006f8c4b1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a007fa7f-bfab-4cd3-8717-7df9c294d025} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nqgpedlr.bvto (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nqgpedlr.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Trojan.FakeAlert) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarerefer...=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#20
Mike
Posted 06 July 2008 - 12:46 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,


Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1421B799-C4AA-4F81-89D9-01E1FBFA29FE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE99EB12-A2D7-42D7-8BC2-754431199E2F}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{AE99EB12-A2D7-42D7-8BC2-754431199E2F}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Then,

Download the latest version of Java Runtime Environment (JRE) 6 Update 6. Once done, uninstall any older versions of Java through add or remove programs.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Post back with the above logs along with a new Hijack this log, also how is your computer running?

Edited by Mike, 06 July 2008 - 12:47 PM.

  • 0

#21
Mike
Posted 06 July 2008 - 12:48 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Edited my post, please refresh and review.
  • 0

#22
timzerofive
Posted 06 July 2008 - 01:12 PM

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
It is already running well without all the problems from before. Here is the Combofix log, downloading Java and will be running the scan in a few min, will post that log plus new hijackthis log in a bit. Thanks.

ComboFix 08-07-04.6 - Lawrence Wang 2008-07-06 11:59:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.540 [GMT -7:00]
Running from: C:\Documents and Settings\Lawrence Wang\Desktop\ComboFix.exe
Command switches used :: E:\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-06 10:59 . 2008-07-06 10:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-06 10:59 . 2008-07-06 10:59 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\Malwarebytes
2008-07-06 10:59 . 2008-07-06 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-06 10:59 . 2008-06-28 14:21 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-06 10:59 . 2008-06-28 14:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-05 11:37 . 2008-07-05 11:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-04 18:09 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-07-04 18:09 . 2008-07-04 18:09 376 --a------ C:\WINDOWS\ODBC.INI
2008-07-04 18:08 . 2008-07-04 18:08 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-07-04 18:06 . 2008-07-04 18:06 <DIR> dr-h----- C:\MSOCache
2008-07-04 16:33 . 2008-07-04 16:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-04 16:19 . 2008-07-04 16:29 401 --a------ C:\WINDOWS\wininit.ini
2008-07-04 15:34 . 2008-07-04 15:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-04 15:34 . 2008-07-04 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 15:32 . 2008-07-04 15:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 15:10 . 2008-07-04 19:02 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-04 15:06 . 2008-07-04 16:07 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-04 15:06 . 2008-07-04 15:06 <DIR> d-------- C:\Program Files\AVG
2008-07-04 15:06 . 2008-07-04 16:19 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\AVGTOOLBAR
2008-07-04 15:06 . 2008-07-04 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-04 15:06 . 2008-07-04 16:15 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 15:06 . 2008-07-04 16:16 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-04 15:06 . 2008-07-04 15:06 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-07-04 15:06 . 2008-07-04 16:15 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-04 14:34 . 2008-07-06 10:49 <DIR> d-------- C:\Temp
2008-07-04 00:06 . 2008-07-04 00:06 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-06-29 13:03 . 2008-06-29 13:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-29 13:03 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-29 13:03 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-29 13:03 . 2008-05-08 05:28 202,752 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-29 13:02 . 2006-08-21 02:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-06-29 13:02 . 2006-08-21 02:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-06-29 13:02 . 2006-08-21 05:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-06-19 19:09 . 2008-06-19 19:25 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\ppstream
2008-06-18 21:25 . 2008-06-18 21:25 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-16 23:16 . 2008-07-04 16:23 65,404 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-16 22:59 . 2008-07-04 18:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 22:54 . 2008-06-16 22:54 <DIR> d-------- C:\WINDOWS\Sun
2008-06-16 22:48 . 2008-06-16 22:48 <DIR> d-------- C:\Program Files\uTorrent
2008-06-16 22:48 . 2008-07-04 16:13 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\uTorrent
2008-06-16 22:24 . 2008-06-16 22:25 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\Corel
2008-06-16 22:24 . 2008-06-16 22:24 2,828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-16 22:24 . 2008-06-16 22:24 88 -rahs---- C:\WINDOWS\system32\09E831A509.sys
2008-06-16 22:11 . 2008-06-16 22:11 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\Apple Computer
2008-06-16 22:10 . 2008-06-16 22:10 <DIR> d-------- C:\Program Files\Safari
2008-06-16 22:09 . 2008-06-16 22:10 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-16 22:09 . 2008-06-16 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-16 22:01 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 21:58 . 2008-07-04 01:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-16 21:53 . 2008-06-16 22:39 <DIR> d-------- C:\Documents and Settings\Lawrence Wang\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 01:43 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-05 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-07-05 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Borland
2008-07-04 21:41 --------- d-----w C:\Program Files\PCDR5
2008-07-04 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-29 06:07 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-29 04:18 --------- d-----w C:\Program Files\Google
2008-06-17 05:59 --------- d-----w C:\Program Files\Picasa2
2008-06-17 05:25 --------- d-----w C:\Program Files\Corel
2008-06-17 05:01 --------- d-----w C:\Program Files\Java
2008-05-29 05:43 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Ahead
2008-05-29 05:42 --------- d-----w C:\Program Files\Nero
2008-05-29 05:42 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-28 20:55 --------- d-----w C:\Program Files\DAEMON Tools
2008-05-28 20:36 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-28 19:42 --------- d-----w C:\Program Files\Prime95
2008-05-25 04:29 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Sonic
2008-05-25 04:29 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Leadertech
2008-05-19 04:04 --------- d-----w C:\Documents and Settings\Lawrence Wang\Application Data\Lenovo
2008-05-19 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lenovo
2008-05-19 01:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lenovo
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-11 20:25 50 ----a-w C:\WINDOWS\system32\drivers\LENOVO_0769_AUU.MRK
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 05:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-17 19:11 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-04-17 18:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-05_13.57.24.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-05 18:34:33 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-06 18:18:17 64,774 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-05 18:34:33 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-06 18:18:17 409,800 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-06 18:57:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_468.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 21:58 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-02-08 13:19 536576]
"TPWAUDAP"="C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-09-06 00:38 54824]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 11:03 58416]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-18 22:51 774233]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PMHandler"="C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe" [2007-03-16 05:26 31840]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-23 00:32 138008]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 15:42 321088]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"LPManager"="C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 10:10 120368]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00 44032]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-23 00:32 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-23 00:32 162584]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 16:24 196696]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 16:35 2630968]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-10-12 00:28 1282048]
"AzMixerSel"="C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2007-08-23 00:36 53248]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 03:51 91688]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 15:06 1177368]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 11:00 439856]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 14:51 126976]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 14:58 413696]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 00:21 16384000 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 00:40 89542 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-05-31 13:57 155648 C:\WINDOWS\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-13 19:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
--a------ 2007-05-31 13:07 946176 C:\Program Files\Lenovo Fingerprint Software\fpapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 09:27]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 16:15]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 11:24]
R1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys [2006-05-24 11:48]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 15:06]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 15:06]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 16:16]
R2 FNF5SVC;Fn+F5 Service;C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe [2007-04-08 18:24]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 13:11]
R3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2007-05-22 15:59]
S3 FingerprintServer;Fingerprint Server;C:\WINDOWS\system32\FpLogonServ.exe [2007-06-22 11:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebd41f4e-2546-11dd-adb6-001eec08d55b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 12:01:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
Completion time: 2008-07-06 12:02:12
ComboFix-quarantined-files.txt 2008-07-06 19:02:07
ComboFix2.txt 2008-07-06 17:56:16
ComboFix3.txt 2008-07-05 21:59:58

Pre-Run: 97,693,069,312 bytes free
Post-Run: 97,677,840,384 bytes free

203 --- E O F --- 2008-07-03 07:05:42
  • 0

#23
Mike
Posted 06 July 2008 - 01:14 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
The kaspersky scan takes a while, go out for a drink :)

I'll wait for your reply.
  • 0

#24
timzerofive
Posted 06 July 2008 - 02:17 PM

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
it is taking a while, 75% so far.
  • 0

#25
timzerofive
Posted 06 July 2008 - 02:36 PM

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
KasperSkyscan Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, July 6, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, July 06, 2008 18:57:34
Records in database: 918909
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 51172
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:04:32


File name / Threat name / Threats count
C:\Documents and Settings\Lawrence Wang\Local Settings\Application Data\Identities\{8E462109-3BE4-4456-BE4A-7BF26A776F08}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-GameThief.Win32.Magania.uef 1
C:\Documents and Settings\Lawrence Wang\Local Settings\Application Data\Identities\{8E462109-3BE4-4456-BE4A-7BF26A776F08}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-GameThief.Win32.Magania.viv 1
C:\WINDOWS\Web\desc.htm Infected: not-virus:Hoax.HTML.Secureinvites.c 1

The selected area was scanned.
  • 0

Advertisements

#26
timzerofive
Posted 06 July 2008 - 02:37 PM

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:35, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\PSIService.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11408 bytes
  • 0

#27
Mike
Posted 06 July 2008 - 02:47 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi again,

You have some bad emails in your "deleted" box in Outlook make sure they are removed.

C:\Documents and Settings\Lawrence Wang\Local Settings\Application Data\Identities\{8E462109-3BE4-4456-BE4A-7BF26A776F08}\Microsoft\OutlookExpress\Deleted Items.dbx

Delete this file please C:\WINDOWS\Web\desc.htm <--- that file.

You can fix these lines with Hijack This. Do a scan only, put a check mark next to the following:

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Then click "Fix checked", exit hijack this.

I notice you have no Firewall program installed on your computer. These programs are necessary in keeping your computer safe from hackers and remote attacks against your computer. Without one you are opening a door for hackers. I would like you to download one of these free programs I have listed here for you.
Note: Make sure to only install ONE program, as having more can cause confliction between these programs, which in turn lowers your protection and slows down your computer.

From here your logs look clean,

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

&

Now please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.


Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:
  • Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
    Things you can do to aviod downloading bad programs:
    • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
    • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
    • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
    • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
  • Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
  • Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
I have listed two programs to boost your security while using no resources.
  • SpywareBlaster Take a look at the tutorial here.
  • ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Also consider using an alternative web broswer. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#28
timzerofive
Posted 06 July 2008 - 02:59 PM

timzerofive

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Everything looks to be functioning properly. Don't appear to have anymore problems. Thank you very very much for your help.
  • 0

#29
Mike
Posted 06 July 2008 - 03:03 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
No problems,

Have a great day still and take care :)

Mike
  • 0

#30
Mike
Posted 06 July 2008 - 03:03 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP