Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Wireless Connection Intermittently Disappearing; Suspect Mal/Adware or

Started by gruurly , Feb 18 2006 09:38 PM

  • This topic is locked This topic is locked

#1
gruurly
Posted 18 February 2006 - 09:38 PM

gruurly

    Member

  • Member
  • PipPip
  • 26 posts
This is my first time posting here; I'm so glad I found this forum!

I've had wireless connectivity problems with my laptop ever since I purchased it (refurbished) about 4 months ago. Detailed specs are posted at the very bottom, but basically it's an IBM Thinkpad R40 running XP.

For unknown reasons, the wireless connection will stop working, and when I look at the network adapter it has an exclamation point next to the High Rate Wireless LAN Mini PCI Adapter III. Sometimes it would start working again without doing anything, other times I'd have to scan my system, reboot in safe mode, scan again (usually finding a program called CommandDesktop recurrently), and all would be okay again.

That is, until yesterday. I walked away to hit the bathroom, and came back. My screen was black. I wasn't able to get it out of snooze mode, so I had to reboot. Since then, my laptop will not recognize that there is a High Rate Wireless LAN Mini PCI Adapter III attached to my computer; only the High Rate Wireless LAN Mini PCI Adapter III - Packet Scheduler Miniport shows up. I've done the following to try and remedy the problem so far, since I'm suspecting this is a malware/virus problem:

- Installed WinSockXPFix - no change
- Run SpyBot, Spyware Sweeper, CWShredder, Trend, AdWare, Ewido in both normal and safe mode (all have found different variations of stuff on my system and supposedly removed them; I've posted the most recent Ewido below).
- Run Hijack This numerous times, same as above
- I have ZoneAlarm installed and running at all times
- I have NOT done a windows update, and won't until I've freed my system of any issues
- Installed all of the newest drivers for my laptop (almost all were old and not up to date); I noticed that IBM is aware my laptop configuration has has issues with intermittent wireless connections and created a new driver for the High Rate Wireless LAN Mini PCI Adapter III in 2003, but whenever I try and install it I get an error at the very end telling me that it didn't install properly.

I'm wondering if somewhere, somehow, I accidentally erased something I shouldn't have, and this is why I'm having issues now. I can connect to the net through a non-wireless connection, which is what I am doing now.

Anyway, I'm stuck. Help?

******************************* SYSTEM SUMMARY *******************************
OS information: Microsoft Windows XP
OS version: 5.10.2600 Service Pack 1
Processor: x86 Family 15 Model 2 Stepping 7
Memory: 261,040 kb
BIOS version: 1.15 (1OET49WW)
Machine type-Model: 2681HU1

****************************** BIOS INFORMATION ******************************
BIOS version: 1.15 (1OET49WW)
BIOS date : 2004-07-05
Embedded controller version: 1.11
Machine type-Model: 2681HU1

***************************** DRIVE INFORMATION ******************************
Logical drive: C:\
Drive type: Fixed drive
Drive size: 36,734,008 kb
Drive free space: 23,773,628 kb

Logical drive: D:\
Drive type: CD-ROM drive
Drive size: 0 kb
Drive free space: 0 kb


**************************** BATTERY INFORMATION *****************************
Status: No activity
Remaining percentage: 99 %
Remaining capacity: 45.45 Wh
Full charge capacity: 45.22 Wh
Temperature: 28 C
Cycle count: 99
Manufacturer name: SANYO
Manufacture date: 2003-05-28
First used date: 2003-09
Serial number: 2738
Battery name (FRU part number): IBM-02K7054
Device chemistry: Li-Ion
Design capacity: 57.60 Wh
Design voltage: 14.40 V

***************************** OTHER INFORMATION ******************************


Power scheme: Portable/Laptop
********** AC settings **********
Turn off monitor: After 15 minutes
Turn off hard disks: After 30 minutes
System standby: After 20 minutes
********** Battery settings **********
Turn off monitor: After 5 minutes
Turn off hard disks: After 5 minutes
System standby: After 5 minutes


************************* SYSTEM DEVICE INFORMATION **************************
Device class: Accessibility options
Device status: Disabled
No resources used

Device class: Serial port
Device description: Communications Port (COM1)
Driver provider: Microsoft
Driver date: 7-1-2001
Driver version: 5.1.2600.0
Device status: Enabled
Resource
I/O address: [03F8 - 03FF]
IRQ: 4

Device class: Parallel port
Device description: Printer Port (LPT1)
Driver provider: Microsoft
Driver date: 7-1-2001
Driver version: 5.1.2600.0
Device status: Enabled
Resource
I/O address: [03BC - 03BE]

Device class: TrackPoint
Device status: Enabled
No resources used

Device class: Audio
Device description: SoundMAX Integrated Digital Audio
Driver provider: Analog Devices
Driver date: 3-28-2005
Driver version: 5.12.1.5410
Device status: Enabled
Resource
Memory address: [E8000C00 - E8000DFF]
Memory address: [E8000800 - E80008FF]
I/O address: [1C00 - 1CFF]
I/O address: [18C0 - 18FF]
IRQ: 11

Device class: Infrared
Device description: IBM ThinkPad Fast Infrared Port
Driver provider: National Semiconductor
Driver date: 3-17-2001
Driver version: 1.0.0.0
Device status: Enabled
Resource
I/O address: [02F8 - 02FF]
DMA: 3
IRQ: 3

Device class: Internal modem
Device description: Agere Systems AC'97 Modem
Driver provider: Agere
Driver date: 6-27-2003
Driver version: 2.1.31.0
Device status: Enabled
Resource
I/O address: [2400 - 24FF]
I/O address: [2000 - 207F]
IRQ: 11

Device class: PCI Device Setup
Device status: Enabled
Resource
IRQ: 11

Device class: Device Bay
Device status: Enabled
Resource
I/O address: [0170 - 0177]
IRQ: 15

Device status: Disabled
No resources used

Device class: Mouse
Device description: HID-compliant mouse
Driver provider: Microsoft
Driver date: 7-1-2001
Driver version: 5.1.2600.0
Device status: Enabled
No resources used

Device class: Net
Device description: Intel® PRO/100 VE Network Connection
Driver provider: Intel
Driver date: 9-17-2003
Driver version: 7.0.28.0
Device status: Enabled
Resource
Memory address: [E8200000 - E8200FFF]
I/O address: [4000 - 403F]
IRQ: 11

Device class: Modem
Device description: Communications cable between two computers
Driver provider: Microsoft
Driver date: 3-9-2000
Driver version: 5.1.2535.0
Device status: Enabled
No resources used

*********************************************************

HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 8:36:40 PM, on 2/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bonny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/...ntent/AcpIR.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\wanotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINDOWS\nav32.exe (file missing)

****************************************************************

EWIDO Most recent scan

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:26:15 PM, 2/18/2006
+ Report-Checksum: 7AA2B2FA

+ Scan result:

[1304] C:\WINDOWS\system32\wvidx.dll -> Adware.Look2Me : Error during cleaning
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057833.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057834.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057835.exe -> Downloader.VB.vr : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057836.exe -> Downloader.Adload.l : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057837.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057838.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057839.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057840.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057841.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057842.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057843.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057844.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057845.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057846.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057847.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057848.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057849.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057850.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057851.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057852.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057853.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057854.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057855.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057856.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057857.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057858.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057859.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057860.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057861.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057862.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057863.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057864.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057865.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057866.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057867.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057868.exe -> Not-A-Virus.RemoteAdmin.Win32.PLSRemot : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057869.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057870.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057871.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057872.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057873.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057874.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057875.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057876.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057877.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057878.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057879.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057880.exe -> Hijacker.VB.kc : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057881.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057882.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057883.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057884.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057892.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057913.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057920.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057927.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057955.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057961.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057962.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057963.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057964.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057965.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__wvidx.dll -> Adware.Look2Me : Cleaned with backup


::Report End
  • 0

Advertisements

#2
Flrman1
Posted 18 February 2006 - 09:55 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi gruurly

Welcome to G2G! :tazz:

* Click here to download Look2Me-Destroyer.exe and save it to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message:
    • Done removing infected files! Look2Me-Destroyer will now shutdown your computer
  • Click OK then your computer will shutdown.
  • Wait 60 seconds then turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX
  • 0

#3
gruurly
Posted 18 February 2006 - 10:33 PM

gruurly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hello, and thanks for your very quick response! Here are my results:

Logfile of HijackThis v1.99.1
Scan saved at 9:31:44 PM, on 2/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bonny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/...ntent/AcpIR.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINDOWS\nav32.exe (file missing)

****************************************************************


Look2Me-Destroyer V1.0.5

Scanning for infected files.....
Scan started at 2/18/2006 9:21:41 PM

Infected! C:\WINDOWS\system32\wanotify.dll
Infected! C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058560.dll
Infected! C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058561.dll
Infected! C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058562.dll
Infected! C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058563.dll
Infected! C:\WINDOWS\system32\wanotify.dll
Infected! C:\WINDOWS\system32\__delete_on_reboot__amsldp.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\wanotify.dll
C:\WINDOWS\system32\wanotify.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058560.dll
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058560.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058561.dll
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058561.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058562.dll
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058562.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058563.dll
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058563.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wanotify.dll
C:\WINDOWS\system32\wanotify.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\__delete_on_reboot__amsldp.dll
C:\WINDOWS\system32\__delete_on_reboot__amsldp.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0A8B561E-7786-4B58-B7BB-908150BF7795}"
HKCR\Clsid\{0A8B561E-7786-4B58-B7BB-908150BF7795}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3C34AEFB-9C7B-415A-9FFF-A9BCB85F3D31}"
HKCR\Clsid\{3C34AEFB-9C7B-415A-9FFF-A9BCB85F3D31}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4B6981B9-3610-49A1-BC92-2A40A3BF13B6}"
HKCR\Clsid\{4B6981B9-3610-49A1-BC92-2A40A3BF13B6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F3C82D16-FFB9-447D-8568-48975AD8464A}"
HKCR\Clsid\{F3C82D16-FFB9-447D-8568-48975AD8464A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{102834EA-6523-41C0-B101-C858F795A91B}"
HKCR\Clsid\{102834EA-6523-41C0-B101-C858F795A91B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5AE4BC48-7AC7-482C-A6A7-05D94E48EFBF}"
HKCR\Clsid\{5AE4BC48-7AC7-482C-A6A7-05D94E48EFBF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{67982310-5C71-4069-89DB-C15A4327A9F5}"
HKCR\Clsid\{67982310-5C71-4069-89DB-C15A4327A9F5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1F12340A-76A1-4EAA-A714-B488F7C0ABBC}"
HKCR\Clsid\{1F12340A-76A1-4EAA-A714-B488F7C0ABBC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{031835B3-8951-4EAB-B1CA-35F6C6321AD2}"
HKCR\Clsid\{031835B3-8951-4EAB-B1CA-35F6C6321AD2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{98365AB5-9060-413B-82DD-E2FE1D35448B}"
HKCR\Clsid\{98365AB5-9060-413B-82DD-E2FE1D35448B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2B4B8C43-68F5-4FCD-B1F1-8F3937EA7D5B}"
HKCR\Clsid\{2B4B8C43-68F5-4FCD-B1F1-8F3937EA7D5B}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
  • 0

#4
Flrman1
Posted 19 February 2006 - 08:13 AM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Go to Start > Run and type in cmd

Click OK

This will open a command shell. In the command window Copy and Paste the following commands one at a time exactly as the appear below and hit the Enter key after each one:

sc stop windows antivirus

Hit Enter

sc delete windows antivirus

Hit Enter

exit

Hit Enter


* Run ActiveScan online virus scan here

When the scan is finished, save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
  • 0

#5
gruurly
Posted 19 February 2006 - 01:42 PM

gruurly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hello again,

I tried, but I received the following error:

The specified service does not exist as an installed service.

However, I wasn't at the C:\ prompt, I was at C:\Documents and Settings\myname.IBMthen a bunch of numbers.

I am scanning Panda now anyways, and will post here when done.

[on edit] Can't seem to get Panda to work, it just hangs.

Edited by gruurly, 19 February 2006 - 01:49 PM.

  • 0

#6
Flrman1
Posted 19 February 2006 - 06:41 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Run Kaspersky online virus scan here.

When given the option, choose the "Extended database" for the scan.

When the scan is finished, Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan
  • 0

#7
gruurly
Posted 19 February 2006 - 08:33 PM

gruurly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Doesn't look like Kasperscky actually deleted anything.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, February 19, 2006 7:30:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 20/02/2006
Kaspersky Anti-Virus database records: 177553
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 48624
Number of viruses found: 13
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 01:17:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0NGXCDCV\drupdate[3].exe Infected: Trojan-Downloader.Win32.Adload.q skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0NGXCDCV\installer[1].exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0NGXCDCV\installer[1].exe Inno: infected - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0NGXCDCV\installer[2].exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0NGXCDCV\installer[2].exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033006.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.p skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033006.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033249.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033249.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033249.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ak skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033249.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033249.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033249.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033252.exe/data0001 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP64\A0033252.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP66\A0040608.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ai skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP66\A0040608.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP66\A0040608.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ak skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP66\A0040608.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP66\A0040608.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP66\A0040608.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP69\A0047770.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP69\A0047771.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP69\A0048713.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP72\A0052892.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0056239.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0056332.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057824.exe Infected: Trojan-Downloader.Win32.Adload.q skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057959.exe Infected: Trojan-Downloader.Win32.Adload.q skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058558.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058559.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058564.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP86\A0058565.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\WINDOWS\system32\DH9013.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\system32\DH9013.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

Scan process completed.

******************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 7:31:58 PM, on 2/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\BONNY~1.IBM\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\BONNY~1.IBM\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\Bonny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/...ntent/AcpIR.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINDOWS\nav32.exe (file missing)
  • 0

#8
Flrman1
Posted 20 February 2006 - 07:40 AM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Click here to download ATF Cleaner by Atribune and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • If you use Firefox:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
[/list]
* Click Start > Run > and type in:

services.msc

Click OK.

In the services window find windows virus scanner.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


* Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Delete an NT service" button. Copy and paste this line in that box:

windows antivirus

Click OK.


* Click Here and download Killbox and save it to your desktop.

* Double-click on Killbox.exe to run it.
  • Put a tick by Delete on Reboot.
  • Copy the following list of files to clipboard:

    C:\WINDOWS\system32\DH9013.exe
    C:\WINDOWS\system32\i

  • Next in Killbox go to File > Paste from clipboard
  • Click on the All Files button.
  • Next click on the button that has the red circle with the white X in the middle.
  • It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
  • Click Yes and let the computer reboot.
* After it reboots, go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it.

Post a new HiJackThis log and report back what the Housecall scan found.
  • 0

#9
Flrman1
Posted 20 February 2006 - 07:50 AM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Where is your antivirus?
  • 0

#10
gruurly
Posted 20 February 2006 - 06:01 PM

gruurly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I am downloading these now and will post here once I know.

I'm surprised; I thought I had one installed, but I'm obviously mistaken. What do you recommend I get or purchase for an anti-virus?
  • 0

Advertisements

#11
gruurly
Posted 20 February 2006 - 07:33 PM

gruurly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hello again,

Trend Micro found a tremendous amount of greyware/malware/spyware on my system.

TRAK_SE.7851, 2, 3, 4
TROJ_SE.85638
TROJ_SE.76892
.. and so forth, I wasn't able to type any more before they were deleted.

However, some were not able to be removed from my system:
1 - HKLM\SYSTEM\CurrentControlSet\Services\cmdservice
1 - HKLM\SYSTEM\ControlSet001\Services\cmdservice
2 - HKCU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\CU1
HKCU\S-1-5-18\Software\Microsoft\CurrentVersioRun\CU1
1- HKCU\S-1-5-18\Sofware\Microsoft\Windows\CurrentVersion\Run\CU2

And then a whole host of vulnerabilities (which I knew of because I need to do the MS updates, but once again didn't think that was a good idea until I had this problem resolved).

When I tried to get more information on these problems above, IE crashed.

Logfile of HijackThis v1.99.1
Scan saved at 6:32:59 PM, on 2/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bonny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/...ntent/AcpIR.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#12
Flrman1
Posted 21 February 2006 - 05:44 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* I am attaching a fix.zip file to this post. It contains a fix.reg file to remove those registry entries that the Hosecall scan found. Download it and unzip it.

Doubleclick on the fix.reg file to add it to the registry. Answer yes to confirm the merge.


* Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

Attached Files

  • Attached File  fix.zip   266bytes   200 downloads

  • 0

#13
gruurly
Posted 21 February 2006 - 08:42 PM

gruurly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
The list, as requested. As an aside, I was able to, finally, uninstall the driver for the Wireless LAN Adapter (which I wasn't able to previously), but still cannot install the new driver that IBM states is the replacement and will fix the connectivity issues I was having. Anyway, here you go. The only things I don't recognize on this list, if it helps, is "alm" and "TPNala Wallpaper", if it helps. Software Installer is the program IBM required me to install in order to update all of my drivers.

Access IBM
Access IBM Tools
Ad-Aware SE Personal
Adobe Acrobat 7.0 Professional
Agere Systems AC'97 Modem
Ahead Nero Burning ROM
alm
Article Distributor
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BitTorrent 4.4.1
Core FTP LE 1.3c
DivX
DivX Player
ewido anti-malware
FlashGet(JetCar)
HijackThis 1.99.1
HydraVision
IBM Access Connections
IBM DLA
IBM Rapid Restore PC Setup
IBM RecordNow
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Presentation Director
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
InterVideo WinDVD
iPod for Windows
iTunes
Kaspersky On-line Scanner
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office Visio Professional 2003
Microsoft Office XP Professional with FrontPage
Microsoft Publisher 2002
MSN Messenger 7.5
Nvu 1.0
Panda ActiveScan
QuickTime
Skype 1.4
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Software Installer
Sonar2
SoulSeek 157 test 8
SoundMAX
Spybot - Search & Destroy 1.2.1 beta 3
SpywareBlaster v2.6.1
System Migration Assistant
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Keyboard Customizer Utility
ThinkPad Power Management Driver
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
TimeTo
TPNala Wallpaper
TrackPoint Accessibility Features
Trend Micro Anti-Spyware
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
Yahoo! Messenger
yWriter2
ZoneAlarm Pro
  • 0

#14
gruurly
Posted 21 February 2006 - 11:02 PM

gruurly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
So, at your suggestion, I installed a VirusScanner, AntiVir. It's now running. I did a scan, here are the results from that scan as well, if it helps:



Report file date: February 21, 2006 20:47


Jobname: 'Local Drives'

Scanning for 318069 virus strains and unwanted programs.

Licensed to: AntiVir PersonalEdition Classic
Serialnumber: 0000149996-WURGE-0001
Platform: Windows XP
Windowsversion: (Service Pack 1) [5.1.2600]
Username: Bonny
Computername: IBM-2CEFD0C412D

Versioninformations:
AVSCAN.EXE : 7.0.0.21 528424 1/31/2006 18:54:48
AVSCAN.DLL : 7.0.0.21 42536 1/31/2006 18:54:48
LUKE.DLL : 7.0.0.21 114728 1/31/2006 18:54:48
LUKERES.DLL : 7.0.0.21 27688 1/31/2006 18:54:48
ANTIVIR0.VDF : 6.32.0.60 4323840 12/6/2005 18:47:34
ANTIVIR1.VDF : 6.33.0.207 1160192 2/8/2006 16:09:40
ANTIVIR2.VDF : 6.33.1.4 144896 2/22/2006 03:46:18
ANTIVIR3.VDF : 6.33.1.16 27648 2/22/2006 03:46:18
AVEWIN32.DLL : 6.33.0.36 1163776 2/22/2006 03:46:18
AVPREF.DLL : 6.34.0.0 38440 1/18/2006 20:06:02
AVREP.DLL : 6.33.1.0 2392104 2/22/2006 03:46:18
AVPACK32.DLL : 6.33.0.6 331816 1/9/2006 17:03:38
AVREG.DLL : 6.31.0.90 27688 7/28/2005 18:06:36
NETNT.DLL : 6.32.0.0 6696 9/27/2005 15:56:50
NETNW.DLL : 6.32.0.0 9768 9/27/2005 15:56:50


Start of the scan: February 21, 2006 20:47


Start scanning boot sectors:

Boot sector 'C:'
[NOTE] No virus was found!

Starting to scan the registry.

The registry was scanned ( 37 files ).


Starting the file scan:

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\Local Settings\Temporary Internet Files\Content.IE5\DNJXVTZG\loader138[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.VS
[INFO] The file was deleted!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\Local Settings\Temporary Internet Files\Content.ie5\dnjxvtzg\registryfix[1]
[DETECTION] Contains signature of the exploits EXP/MS05-013
[INFO] The file was deleted!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\Local Settings\Temporary Internet Files\Content.IE5\DNJXVTZG\ysb_prompt[1].htm
[DETECTION] Contains signature of the Java script virus JS/Dldr.IstBar.j.6
[INFO] The file was deleted!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\Local Settings\Temporary Internet Files\Content.IE5\TOT139DF\drsmartload95a[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.O.3
[INFO] The file was deleted!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\Local Settings\Temporary Internet Files\Content.IE5\UFKFJGLC\install[1].htm
[DETECTION] Contains signature of the exploits EXP/HTML.CodeBaseEx
[INFO] The file was deleted!
C:\Documents and Settings\Bonny.IBM-2CEFD0C412D\Local Settings\Temporary Internet Files\Content.IE5\UFKFJGLC\loadadv728[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.cjg.115
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0NGXCDCV\drupdate[3].exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.Q.6
[INFO] The file was deleted!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057824.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.Q.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{EA1BBC1A-EF85-49C5-A40A-3CA54F874053}\RP74\A0057959.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.Q.6
[INFO] The file was deleted!
C:\WINDOWS\drsmartload95a.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.O.3
[INFO] The file was deleted!
C:\WINDOWS\loadadv728.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.cjg.115
[INFO] The file was deleted!
C:\WINDOWS\loader138.exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.VS
[INFO] The file was deleted!
C:\WINDOWS\backup\S\51008000.dat
[DETECTION] Is the Trojan horse TR/Dldr.IstBar.OW.1
[INFO] The file was deleted!
C:\WINDOWS\system32\config\DEFAULT
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SOFTWARE
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SYSTEM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\ZLT070fc.TMP
[WARNING] The file could not be opened!


End of the scan: February 21, 2006 21:57
Used time: 1:09:49 min

The scan has been done completely.

3926 Scanning directories
253041 Files were scanned
13 viruses and/or unwanted programs was found
13 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2902 Archives were scanned
54 Warnings
2 Notes
  • 0

#15
Flrman1
Posted 22 February 2006 - 07:15 AM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
How is everything now?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP