Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page trojan removal
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 03-12-2009, 04:44 PM   #1 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


trojan removal
I have a problem with a recurring trojan. McAfee on access scan detects trojans categorized as generic downloader, downloader-BKA, or vundo.gen.ab. full system scans by malwarebytes, spybot search and destroy, windows defender, vundofix, and McAfee on demand scan come up clean, yet the trojan continues to come back. I recently added windows defender and it simultaneously detects the vundo.gen.ab with McAfee. When windows defender tries to delete the trojan McAfee on access scan is temporarily disabled for some reason.
the log file requested is here:
DDS (Ver_09-02-01.01) - NTFSx86
Run by Stoycho at 17:24:30.25 on Thu 03/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.141 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\windows\system32\ibmpmsvc.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
C:\windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\windows\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\windows\Explorer.EXE
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\windows\system32\TpShocks.exe
C:\windows\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Documents and Settings\Stoycho\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {2DADE4AF-94B3-4172-BFB4-4C3F23A02CC2} - No File
BHO: {2EAD5F0E-515C-4172-9535-31FFC7E23BD0} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
{e188f22e-59e6-458b-aaa7-efc0f5b1122e}
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {3234EECA-AA3C-4CDC-92ED-CB1BC78FDB0F} - No File
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrackPointSrv] "c:\program files\lenovo\trackpoint\tp4serv.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AwaySch] "c:\program files\lenovo\awaytask\AwaySch.EXE"
mRun: [TpShocks] TpShocks.exe
mRun: [TPKMAPHELPER] "c:\program files\thinkpad\utilities\TpKmapAp.exe" -helper
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197067049953
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197067105187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
Notify: wvUmnKBQ - wvUmnKBQ.dll
AppInit_DLLs: ckgtzh.dll znjafx.dll zxsbjx.dll rsfjwn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJBuvtq
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stoycho\applic~1\mozilla\firefox\profiles\qs2q3rro.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-5-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-12-12 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-12-12 4224]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-12-10 4442]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-21 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2008-9-27 94208]
R2 tp4serv;tp4serv;c:\program files\lenovo\trackpoint\tp4servinst.exe [2007-11-8 35616]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-1-21 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-1-21 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-1-21 174952]
S0 aylnlfdx;aylnlfdx;c:\windows\system32\drivers\phqghume.sys --> c:\windows\system32\drivers\phqghume.sys [?]
S0 hbuctkhm;hbuctkhm;c:\windows\system32\drivers\sycxcvez.sys --> c:\windows\system32\drivers\sycxcvez.sys [?]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\stoycho\locals~1\temp\cha04748\~ic30\instal~1.exe --> c:\docume~1\stoycho\locals~1\temp\cha04748\~ic30\INSTAL~1.EXE [?]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-9-24 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-9-24 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-9-24 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-9-24 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-9-24 100648]
S3 D100IB;D100IB;c:\windows\system32\drivers\D100IB5.SYS [2007-12-7 117760]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-3-9 32512]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-4-26 22568]

=============== Created Last 30 ================

2009-03-11 00:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-11 00:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-10 22:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-03-10 22:50 <DIR> --d----- c:\program files\Yahoo! Games
2009-03-10 22:48 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-09 22:15 233,472 a------- c:\windows\system32\wpcap.dll
2009-03-09 22:15 81,920 a------- c:\windows\system32\packet.dll
2009-03-09 22:15 61,440 a------- c:\windows\system32\wanpacket.dll
2009-03-09 22:15 57,344 a------- c:\windows\system32\abacadaba.exe
2009-03-09 22:15 32,512 a------- c:\windows\system32\drivers\npf.sys
2009-03-09 18:48 <DIR> --d----- c:\windows\pss
2009-03-09 16:10 <DIR> --d----- c:\program files\Enigma Software Group
2009-03-08 23:06 <DIR> --d----- C:\VundoFix Backups
2009-03-07 00:40 31,744 a------- c:\windows\system32\RHHULu5q.exe

==================== Find3M ====================

2009-03-10 22:48 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 17:25:43.81 ===============



I can't complete the GMER scan due to a BSOD error
Attached Files
File Type: zip attach.zip.zip (53.6 KB, 3 views)
Last edited by zokoloto; 03-12-2009 at 05:03 PM.
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 03-13-2009, 01:20 PM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,538
OS: XP SP3


Re: trojan removal
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 12:43 AM   #3 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
ComboFix 09-03-13.01 - Stoycho 2009-03-13 17:28:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.1448 [GMT -5:00]
Running from: c:\documents and settings\Stoycho\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
c:\windows\ilopoqoxe.dll
c:\windows\system32\DNVwaGgh.ini
c:\windows\system32\drivers\npf.sys
c:\windows\system32\init32.exe
c:\windows\system32\packet.dll
c:\windows\system32\test.ttt
c:\windows\system32\wanpacket.dll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 11:08 . 2009-03-13 11:08 <DIR> d-------- c:\documents and settings\Stoycho\(null)
2009-03-11 10:32 . 2009-03-11 10:32 1,374 --a------ c:\windows\imsins.BAK
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 22:51 . 2009-03-10 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-03-10 22:50 . 2009-03-10 22:50 <DIR> d-------- c:\program files\Yahoo! Games
2009-03-10 22:48 . 2009-03-10 22:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-10 22:47 . 2009-03-10 22:47 <DIR> d-------- c:\program files\Java
2009-03-09 22:15 . 2009-03-09 22:15 57,344 --a------ c:\windows\system32\abacadaba.exe
2009-03-09 16:21 . 2009-03-09 16:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-09 16:10 . 2009-03-11 00:52 <DIR> d-------- c:\program files\Enigma Software Group
2009-03-08 23:06 . 2009-03-08 23:06 <DIR> d-------- C:\VundoFix Backups
2009-03-07 00:40 . 2009-03-07 00:40 31,744 --a------ c:\windows\system32\RHHULu5q.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 00:28 --------- d-----w c:\documents and settings\Stoycho\Application Data\HPAppData
2009-03-11 15:32 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 04:56 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-06 03:39 --------- d-----w c:\documents and settings\Stoycho\Application Data\Azureus
2009-01-21 22:37 --------- d-----w c:\program files\McAfee
2009-01-21 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-21 22:36 --------- d-----w c:\program files\Common Files\McAfee
2009-01-21 02:21 --------- d-----w c:\documents and settings\Stoycho\Application Data\Malwarebytes
2009-01-21 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2007-11-08 92960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-10-27 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 185896]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-20 487424]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-08-18 604776]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-27 50688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 10:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 13:14 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-10-27 03:57 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\TmUnitedForever\\TmForever.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Voip\\Communicator\\Communicator.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27730:TCP"= 27730:TCP:BitComet 27730 TCP
"27730:UDP"= 27730:UDP:BitComet 27730 UDP

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-12-12 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-12-12 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-12-10 4442]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [2008-09-27 94208]
R2 tp4serv;tp4serv;c:\program files\Lenovo\TrackPoint\tp4servinst.exe [2007-11-08 35616]
S0 aylnlfdx;aylnlfdx;c:\windows\system32\drivers\phqghume.sys --> c:\windows\system32\drivers\phqghume.sys [?]
S0 hbuctkhm;hbuctkhm;c:\windows\system32\drivers\sycxcvez.sys --> c:\windows\system32\drivers\sycxcvez.sys [?]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Stoycho\LOCALS~1\Temp\CHa04748\~ic30\INSTAL~1.EXE --> c:\docume~1\Stoycho\LOCALS~1\Temp\CHa04748\~ic30\INSTAL~1.EXE [?]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-09-24 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-09-24 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-09-24 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-09-24 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-09-24 100648]
S3 D100IB;D100IB;c:\windows\system32\drivers\D100IB5.SYS [2007-12-07 117760]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-04-26 22568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2e765c-9769-11dd-940d-001e4cf2ff80}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf8de39f-0d1b-11de-9496-001de054b57f}]
\Shell\AutoRun\command - f:\programs\nu2menu\nu2menu.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\At1.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-12 c:\windows\Tasks\At10.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-12 c:\windows\Tasks\At11.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-12 c:\windows\Tasks\At12.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At13.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At14.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At15.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At16.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At17.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At18.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At19.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-12 c:\windows\Tasks\At2.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At20.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At21.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At22.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At23.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At24.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-12 c:\windows\Tasks\At25.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At26.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At27.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At28.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At29.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At3.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-12 c:\windows\Tasks\At30.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At31.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At32.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At33.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At34.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At35.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At36.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At37.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At38.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At39.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At4.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At40.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At41.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At42.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At43.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At44.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At45.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At46.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At47.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-13 c:\windows\Tasks\At48.job
- c:\windows\system32\OChcPl3h.exe []

2009-03-12 c:\windows\Tasks\At49.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At5.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-12 c:\windows\Tasks\At50.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At51.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At52.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At53.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At54.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At55.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At56.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At57.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At58.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At59.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At6.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-12 c:\windows\Tasks\At60.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At61.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At62.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At63.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At64.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At65.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At66.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At67.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At68.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At69.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At7.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-13 c:\windows\Tasks\At70.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At71.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-13 c:\windows\Tasks\At72.job
- c:\windows\system32\RHHULu5q.exe [2009-03-07 00:40]

2009-03-12 c:\windows\Tasks\At8.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-12 c:\windows\Tasks\At9.job
- c:\windows\system32\NKS7gN16.exe []

2009-03-14 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-09-25 01:47]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2DADE4AF-94B3-4172-BFB4-4C3F23A02CC2} - (no file)
BHO-{2EAD5F0E-515C-4172-9535-31FFC7E23BD0} - (no file)
BHO-{E188F22E-59E6-458B-AAA7-EFC0F5B1122E} - (no file)
Toolbar-{3234EECA-AA3C-4CDC-92ED-CB1BC78FDB0F} - (no file)
WebBrowser-{3234EECA-AA3C-4CDC-92ED-CB1BC78FDB0F} - (no file)
Notify-wvUmnKBQ - wvUmnKBQ.dll


.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Stoycho\Application Data\Mozilla\Firefox\Profiles\qs2q3rro.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 01:37:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(984)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
.
**************************************************************************
.
Completion time: 2009-03-14 1:40:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 06:39:58

Pre-Run: 44,595,253,248 bytes free
Post-Run: 44,501,094,400 bytes free

385 --- E O F --- 2009-03-13 04:02:36
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 01:35 AM   #4 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,538
OS: XP SP3


Re: trojan removal
Hello zokoloto.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/355474-trojan-removal.html#post2021421

Collect::
c:\windows\system32\abacadaba.exe
c:\windows\system32\RHHULu5q.exe

AtJob::

File::
c:\windows\imsins.BAK

Folder::
c:\program files\Enigma Software Group
C:\VundoFix Backups
c:\documents and settings\Stoycho\Application Data\Azureus
c:\documents and settings\All Users\Application Data\Viewpoint

DDS::
uStart Page =

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27730:TCP"=-
"27730:UDP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf8de39f-0d1b-11de-9496-001de054b57f}]

DirLook::
c:\documents and settings\Stoycho\(null)

Driver::
aylnlfdx
hbuctkhm
CiscoVpnInstallService
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If you do not get a message box, please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

C:\CF-Submit.htm

Please follow the instructions for submitting the file for analysis and let me know it was submitted.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 12:02 PM   #5 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
here is the new combofix log. there was no message box and the submit command did not work, so I couldn't submit it.

ComboFix 09-03-13.02 - Stoycho 2009-03-14 12:49:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.1439 [GMT -5:00]
Running from: c:\documents and settings\Stoycho\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stoycho\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\imsins.BAK
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\Stoycho\Application Data\Azureus
c:\documents and settings\Stoycho\Application Data\Azureus\.certs
c:\documents and settings\Stoycho\Application Data\Azureus\.keystore
c:\documents and settings\Stoycho\Application Data\Azureus\.lock
c:\documents and settings\Stoycho\Application Data\Azureus\active\7DA9903961B492B2BCDB303F014C6CFADAF21CB5.dat
c:\documents and settings\Stoycho\Application Data\Azureus\active\7DA9903961B492B2BCDB303F014C6CFADAF21CB5.dat.bak
c:\documents and settings\Stoycho\Application Data\Azureus\active\9BF8DE02FD964715F9A7BBC809E1AA95A90E2BB7.dat
c:\documents and settings\Stoycho\Application Data\Azureus\active\9BF8DE02FD964715F9A7BBC809E1AA95A90E2BB7.dat.bak
c:\documents and settings\Stoycho\Application Data\Azureus\active\AA5B1A1C09BAF2B6829180C4078546462E1B0833.dat
c:\documents and settings\Stoycho\Application Data\Azureus\active\AA5B1A1C09BAF2B6829180C4078546462E1B0833.dat.bak
c:\documents and settings\Stoycho\Application Data\Azureus\active\C20987D39C1AF03A4F45833B1ED5C5D4EDEA3CF4.dat
c:\documents and settings\Stoycho\Application Data\Azureus\active\C20987D39C1AF03A4F45833B1ED5C5D4EDEA3CF4.dat.bak
c:\documents and settings\Stoycho\Application Data\Azureus\active\cache.dat
c:\documents and settings\Stoycho\Application Data\Azureus\active\E1A06C6A0F5CF095401E38CF2844EE90160C0A25.dat
c:\documents and settings\Stoycho\Application Data\Azureus\active\E1A06C6A0F5CF095401E38CF2844EE90160C0A25.dat.bak
c:\documents and settings\Stoycho\Application Data\Azureus\azureus.config
c:\documents and settings\Stoycho\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\azureus.statistics
c:\documents and settings\Stoycho\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Stoycho\Application Data\Azureus\banips.config
c:\documents and settings\Stoycho\Application Data\Azureus\banips.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\cnetworks.config
c:\documents and settings\Stoycho\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Stoycho\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Stoycho\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Stoycho\Application Data\Azureus\dht\general.dat
c:\documents and settings\Stoycho\Application Data\Azureus\dht\version.dat
c:\documents and settings\Stoycho\Application Data\Azureus\downloads.config
c:\documents and settings\Stoycho\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\friends.config
c:\documents and settings\Stoycho\Application Data\Azureus\friends.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Stoycho\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\AutoSpeed_2.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\CNetworks_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\SpeedMan_2.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\logs\v3.STres_1.log
c:\documents and settings\Stoycho\Application Data\Azureus\metasearch.config
c:\documents and settings\Stoycho\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\net\pm_7212.dat
c:\documents and settings\Stoycho\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Stoycho\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Stoycho\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\subs\7121CFED9C398458EF19.vuze
c:\documents and settings\Stoycho\Application Data\Azureus\subs\8518327D0D62BB94EF10.vuze
c:\documents and settings\Stoycho\Application Data\Azureus\subs\87ADF8E41A1DB5628FEF.vuze
c:\documents and settings\Stoycho\Application Data\Azureus\subscriptions.config
c:\documents and settings\Stoycho\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\tables.config
c:\documents and settings\Stoycho\Application Data\Azureus\tables.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\timingstats.dat
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU1449414615369150865.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU2039570727634398635.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU2726878675990760168.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU303335082749966140.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU4464518351078302755.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU4604998194489200953.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU4932560432512763442.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU5356335341075574405.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU5617932632686766536.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU6168242596777812322.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU6376623857020978612.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU6760441954989949849.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU7889957383161654391.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU8625340266216490450.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\AZU8805368722798064578.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\tmp\speedTestTorrent.torrent
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\AZU14302.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\AZU17185.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\AZU2499945220861839205.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\AZU5802315742855061753.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\AZU745532757101077524.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\AZU858.tmp
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\Death.Cab.For.Cutie-The.Photo.Album[2001]192k-ll3ph7.4473021.TPB.torrent
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\Of_Montreal_-_Skeletal_Lamping.4360554.TPB.torrent
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\sigur ros(192kbs)takk [mininova].torrent
c:\documents and settings\Stoycho\Application Data\Azureus\torrents\Sigur_Ros_-_Med_Sud_I_Eyrum_Vid_Spilum_Endalaust_-_320kb.4260414.TPB.torrent
c:\documents and settings\Stoycho\Application Data\Azureus\tracker.config
c:\documents and settings\Stoycho\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\unsentdata.config
c:\documents and settings\Stoycho\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\update.log
c:\documents and settings\Stoycho\Application Data\Azureus\update.properties
c:\documents and settings\Stoycho\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Stoycho\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Stoycho\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Stoycho\Application Data\Azureus\VuzeActivities.config.bak
c:\documents and settings\Stoycho\Application Data\Azureus\xerks.exe
c:\program files\Enigma Software Group
C:\VundoFix Backups
c:\windows\imsins.BAK
c:\windows\system32\abacadaba.exe
c:\windows\system32\RHHULu5q.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CISCOVPNINSTALLSERVICE
-------\Legacy_HBUCTKHM
-------\Service_aylnlfdx
-------\Service_CiscoVpnInstallService
-------\Service_hbuctkhm


((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 11:08 . 2009-03-13 11:08 <DIR> d-------- c:\documents and settings\Stoycho\(null)
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 22:51 . 2009-03-10 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-03-10 22:50 . 2009-03-10 22:50 <DIR> d-------- c:\program files\Yahoo! Games
2009-03-10 22:48 . 2009-03-10 22:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-10 22:47 . 2009-03-10 22:47 <DIR> d-------- c:\program files\Java
2009-03-09 16:21 . 2009-03-09 16:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 00:28 --------- d-----w c:\documents and settings\Stoycho\Application Data\HPAppData
2009-03-11 15:32 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 04:56 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-21 22:37 --------- d-----w c:\program files\McAfee
2009-01-21 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-21 22:36 --------- d-----w c:\program files\Common Files\McAfee
2009-01-21 02:21 --------- d-----w c:\documents and settings\Stoycho\Application Data\Malwarebytes
2009-01-21 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\Stoycho\(null) ----

2009-03-13 11:08 113 --a------ c:\documents and settings\Stoycho\(null)\tvtsched.log


((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 1.39.10.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-14 17:52:26 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_16c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2007-11-08 92960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-10-27 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 185896]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-20 487424]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-08-18 604776]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-27 50688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 10:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 13:14 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-10-27 03:57 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\TmUnitedForever\\TmForever.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Voip\\Communicator\\Communicator.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-12-12 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-12-12 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-12-10 4442]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [2008-09-27 94208]
R2 tp4serv;tp4serv;c:\program files\Lenovo\TrackPoint\tp4servinst.exe [2007-11-08 35616]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-09-24 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-09-24 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-09-24 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-09-24 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-09-24 100648]
S3 D100IB;D100IB;c:\windows\system32\drivers\D100IB5.SYS [2007-12-07 117760]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-04-26 22568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2e765c-9769-11dd-940d-001e4cf2ff80}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-09-25 01:47]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Stoycho\Application Data\Mozilla\Firefox\Profiles\qs2q3rro.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 12:53:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(984)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
.
**************************************************************************
.
Completion time: 2009-03-14 12:56:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 17:56:30
ComboFix2.txt 2009-03-14 06:40:02

Pre-Run: 45,506,150,400 bytes free
Post-Run: 45,488,148,480 bytes free

405 --- E O F --- 2009-03-13 04:02:36
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 01:20 PM   #6 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
I'm not sure if the virus removal process is supposed to be near completion, but McAfee on access scan just popped up with a message saying it detected and deleted a vundo!grb trojan. I then decided to run a malwarebytes scan, and 3 minutes in it has already made 28 dections. I have not been to any high risk websites, and I have had McAfee active for all of the web surfing I have done.
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 01:36 PM   #7 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,538
OS: XP SP3


Re: trojan removal
Hello again, zokoloto. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Your log shows no sign of active infection. McAfee and MBAM are likely detecting files that have been quarantined by ComboFix or infections in old system restore points. Neither can do harm if you follow my directions.

Please refer back to post #2 above:

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

That's OK. We can submit the file another way:

There should be a file named [4]-Submit_date@time.zip located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

and include this link in the message:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/355474-trojan-removal.html#post2021421

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
Last edited by chemist; 03-14-2009 at 01:51 PM.
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 02:07 PM   #8 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
I know this is not what you asked for, but I started the scan because there were popups. Previous to any action I took following the instructions on this site my computer did not have popups, so this is either a new infection or something else is happening. here is the malwarebytes log from the scan (note I did not complete a full system scan, there may be more) I have stopped my scans and will now follow your instructions.

Malwarebytes' Anti-Malware 1.34
Database version: 1848
Windows 5.1.2600 Service Pack 3

3/14/2009 3:03:14 PM
mbam-log-2009-03-14 (15-03-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 75306
Time elapsed: 47 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\judopuje.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mokejudu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\huyahife.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vibinuze.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ninegozu.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c03fc7e9-b075-42bf-990d-ed9982adcbe9} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c03fc7e9-b075-42bf-990d-ed9982adcbe9} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88b997e1-aa58-4d41-859e-345038c5d015} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{88b997e1-aa58-4d41-859e-345038c5d015} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{88b997e1-aa58-4d41-859e-345038c5d015} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\revotawuka (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74b94730 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm778a74ac (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\judopuje.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\judopuje.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\judopuje.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\huyahife.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\huyahife.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cqlrey.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\veregofu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mokejudu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\huyahife.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vibinuze.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\judopuje.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ninegozu.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Stoycho\Local Settings\Temporary Internet Files\Content.IE5\YUOWRYIR\OmraiRl[1] (Trojan.Vundo.H) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\RHHULu5q.exe.vir (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{C78EA865-F667-448C-8520-5177DA47697F}\RP3\A0000294.exe (Trojan.Agent) -> No action taken.
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 02:22 PM   #9 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,538
OS: XP SP3


Re: trojan removal
Hello again, zokoloto. You have a new infection since you posted the ComboFix log.

Disable McAfee, close your browsers and all other applications, double-click ComboFix.exe and follow the prompts to run it. Post the new log in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 02:52 PM   #10 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
I would like to figure out how I keep getting new infections. I have not used any torrent sites, or any site I would consider high risk in any way. Over a month ago my computer was first infected when I visited a site attempting to find a live streaming feed of a soccer match. after that I installed malwarebytes and the infection seemed to be removed. after some time however the problems I listed originally started to occur. It seems the moment I shut off McAfee my computer gets reinfected.

ComboFix 09-03-13.02 - Stoycho 2009-03-14 15:37:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.1363 [GMT -5:00]
Running from: c:\documents and settings\Stoycho\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cqlrey.dll
c:\windows\system32\huyahife.dll
c:\windows\system32\judopuje.dll
c:\windows\system32\mokejudu.dll
c:\windows\system32\ninegozu.dll
c:\windows\system32\udujekom.ini
c:\windows\system32\veregofu.dll
c:\windows\system32\vibinuze.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 11:08 . 2009-03-13 11:08 <DIR> d-------- c:\documents and settings\Stoycho\(null)
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 22:51 . 2009-03-10 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-03-10 22:50 . 2009-03-10 22:50 <DIR> d-------- c:\program files\Yahoo! Games
2009-03-10 22:48 . 2009-03-10 22:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-10 22:47 . 2009-03-10 22:47 <DIR> d-------- c:\program files\Java
2009-03-09 16:21 . 2009-03-09 16:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 20:35 --------- d-----w c:\documents and settings\Stoycho\Application Data\HPAppData
2009-03-11 15:32 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 04:56 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-21 22:37 --------- d-----w c:\program files\McAfee
2009-01-21 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-21 22:36 --------- d-----w c:\program files\Common Files\McAfee
2009-01-21 02:21 --------- d-----w c:\documents and settings\Stoycho\Application Data\Malwarebytes
2009-01-21 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 1.39.10.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-14 20:41:01 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_104.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2007-11-08 92960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-10-27 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 185896]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-20 487424]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-08-18 604776]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-27 50688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 10:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 13:14 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-10-27 03:57 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\TmUnitedForever\\TmForever.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Voip\\Communicator\\Communicator.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-12-12 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-12-12 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-12-10 4442]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [2008-09-27 94208]
R2 tp4serv;tp4serv;c:\program files\Lenovo\TrackPoint\tp4servinst.exe [2007-11-08 35616]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-09-24 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-09-24 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-09-24 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-09-24 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-09-24 100648]
S3 D100IB;D100IB;c:\windows\system32\drivers\D100IB5.SYS [2007-12-07 117760]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-04-26 22568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2e765c-9769-11dd-940d-001e4cf2ff80}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-09-25 01:47]
.
- - - - ORPHANS REMOVED - - - -

BHO-{88b997e1-aa58-4d41-859e-345038c5d015} - c:\windows\system32\vibinuze.dll
BHO-{c03fc7e9-b075-42bf-990d-ed9982adcbe9} - c:\windows\system32\cqlrey.dll


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Stoycho\Application Data\Mozilla\Firefox\Profiles\qs2q3rro.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 15:42:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(984)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
.
**************************************************************************
.
Completion time: 2009-03-14 15:45:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 20:45:51
ComboFix2.txt 2009-03-14 17:56:34
ComboFix3.txt 2009-03-14 06:40:02

Pre-Run: 45,432,852,480 bytes free
Post-Run: 45,478,072,320 bytes free

221 --- E O F --- 2009-03-13 04:02:36
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 03:37 PM   #11 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,538
OS: XP SP3


Re: trojan removal
Hello again, zokoloto. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Are you getting prompted to install the Recovery Console? Please follow the prompts to install it.

I'm not sure how to answer your question. Are you the only user? MBAM is a very good application, but it sometimes doesn't fix everything.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-

SkipFix::
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 05:24 PM   #12 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
the system seems to be running fine now. I am the only user so I'm not sure why the infection persists. as for the recovery console, I am prompted to install it, it downloads to 100% but there is an error that occurs every time and doesn't allow it to install.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 14, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 14, 2009 22:44:29
Records in database: 1903311
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 71981
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:58:57


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll.vir Infected: not-a-virus:WebToolbar.Win32.Zango.bd 1

The selected area was scanned.


ComboFix 09-03-13.02 - Stoycho 2009-03-14 16:46:24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.1456 [GMT -5:00]
Running from: c:\documents and settings\Stoycho\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stoycho\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 11:08 . 2009-03-13 11:08 <DIR> d-------- c:\documents and settings\Stoycho\(null)
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 22:51 . 2009-03-10 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-03-10 22:50 . 2009-03-10 22:50 <DIR> d-------- c:\program files\Yahoo! Games
2009-03-10 22:48 . 2009-03-10 22:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-10 22:47 . 2009-03-10 22:47 <DIR> d-------- c:\program files\Java
2009-03-09 16:21 . 2009-03-09 16:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 20:35 --------- d-----w c:\documents and settings\Stoycho\Application Data\HPAppData
2009-03-11 15:32 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-11 03:48 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-13 04:56 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-21 22:37 --------- d-----w c:\program files\McAfee
2009-01-21 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-21 22:36 --------- d-----w c:\program files\Common Files\McAfee
2009-01-21 02:21 --------- d-----w c:\documents and settings\Stoycho\Application Data\Malwarebytes
2009-01-21 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 1.39.10.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-14 20:41:01 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_104.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2007-11-08 92960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-10-27 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 185896]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-20 487424]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-08-18 604776]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-27 50688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 10:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 13:14 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-10-27 03:57 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\TmUnitedForever\\TmForever.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Voip\\Communicator\\Communicator.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-12-12 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-12-12 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-12-10 4442]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [2008-09-27 94208]
R2 tp4serv;tp4serv;c:\program files\Lenovo\TrackPoint\tp4servinst.exe [2007-11-08 35616]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-09-24 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-09-24 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-09-24 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-09-24 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-09-24 100648]
S3 D100IB;D100IB;c:\windows\system32\drivers\D100IB5.SYS [2007-12-07 117760]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-04-26 22568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2e765c-9769-11dd-940d-001e4cf2ff80}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-09-25 01:47]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Stoycho\Application Data\Mozilla\Firefox\Profiles\qs2q3rro.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 16:46:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(984)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
Completion time: 2009-03-14 16:47:50
ComboFix-quarantined-files.txt 2009-03-14 21:47:48
ComboFix2.txt 2009-03-14 20:45:55
ComboFix3.txt 2009-03-14 17:56:34
ComboFix4.txt 2009-03-14 06:40:02

Pre-Run: 45,455,167,488 bytes free
Post-Run: 45,438,226,432 bytes free

179 --- E O F --- 2009-03-13 04:02:36
Last edited by zokoloto; 03-14-2009 at 05:26 PM.
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 05:50 PM   #13 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
update, McAfee just detected a virus, detected as W95/Suk, it was detected in my temp file so it was not something quarantined by combofix. Unless the site fmylife.com is a virus site I don't know what I possibly could have done to get another infection
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 07:01 PM   #14 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,538
OS: XP SP3


Re: trojan removal
Hello again, zokoloto. What does the error message say when it fails to install the Recovery Console?

------------------------------------------------------

Again, I'm not sure what to tell you. Your logs are clean.

fmylife.com seems to be OK:

http://www.siteadvisor.com/sites/fmylife.com

------------------------------------------------------

When you report that McAfee has found something, W95/Suk won't help me. I need full file names/paths.

Is McAfee a must have? It's also a resource hog. There are much better purchased AV's on the market. Let me know.

Run dds again and post just the first log in your next reply.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 02:23 AM   #15 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
I'm really at a loss for what to do, the infection is just as bad as ever. I checked all the sites I have visited in the past week or so on that site you sent me and they're all clean. I'm considering backing up my important files and just reinstalling windows. McAfee isn't a must but it's the only program I get for free from my college so I'd rather stick with that.
here's the DDS log


DDS (Ver_09-02-01.01) - NTFSx86
Run by Stoycho at 3:17:20.46 on Sun 03/15/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.1359 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\windows\system32\ibmpmsvc.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
C:\windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\windows\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\windows\system32\TpShocks.exe
C:\windows\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stoycho\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {2b28e8e5-9102-7c5a-2894-50f562bae60f}: {f06eab26-5f05-4982-a5c7-20195e8e82b2} - c:\windows\system32\erujwk.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrackPointSrv] "c:\program files\lenovo\trackpoint\tp4serv.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AwaySch] "c:\program files\lenovo\awaytask\AwaySch.EXE"
mRun: [TpShocks] TpShocks.exe
mRun: [TPKMAPHELPER] "c:\program files\thinkpad\utilities\TpKmapAp.exe" -helper
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [74b94730] rundll32.exe "c:\windows\system32\hikemavi.dll",b
mRun: [CPM778a74ac] Rundll32.exe "c:\windows\system32\jilorako.dll",a
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197067049953
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197067105187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: erujwk.dll c:\windows\system32\jilorako.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jilorako.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\jilorako.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stoycho\applic~1\mozilla\firefox\profiles\qs2q3rro.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-5-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-12-12 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-12-12 4224]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-12-10 4442]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-21 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2008-9-27 94208]
R2 tp4serv;tp4serv;c:\program files\lenovo\trackpoint\tp4servinst.exe [2007-11-8 35616]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-1-21 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-1-21 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-1-21 174952]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-9-24 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-9-24 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-9-24 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-9-24 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-9-24 100648]
S3 D100IB;D100IB;c:\windows\system32\drivers\D100IB5.SYS [2007-12-7 117760]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-4-26 22568]

=============== Created Last 30 ================

2009-03-15 02:09 141,824 a--sh--- c:\windows\system32\erujwk.dll
2009-03-14 16:45 <DIR> --d----- C:\ComboFix
2009-03-13 17:26 161,792 a------- c:\windows\SWREG.exe
2009-03-13 17:26 98,816 a------- c:\windows\sed.exe
2009-03-13 11:08 <DIR> --d----- c:\documents and settings\stoycho\(null)
2009-03-11 00:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-11 00:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-10 22:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-03-10 22:50 <DIR> --d----- c:\program files\Yahoo! Games
2009-03-10 22:48 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-09 18:48 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-03-15 02:09 141,824 a--sh--- c:\windows\system32\logomafe.dll
2009-03-15 02:09 107,520 a--sh--- c:\windows\system32\jilorako.dll
2009-03-15 02:09 101,888 a--sh--- c:\windows\system32\hikemavi.dll
2009-03-10 22:48 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 3:19:17.32 ===============
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 06:36 AM   #16 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,538
OS: XP SP3


Re: trojan removal
Hello again, zokoloto. This is bizarre. I'm not seeing where it's coming in.

I understand because of school if you want to wipe the drive and start over.
  • Download Silent Runners and Save it to your Desktop.
  • Double-click Silent Runners.zip
  • Click 'Extract all files' and follow the prompts to install it.
  • Double-click Silent Runners.vbs to run it.
  • Click 'Open'
  • When asked to skip the supplementary scan, click No, then Yes
  • When it finishes, a box will tell you where the logfile is saved.
  • Please attach the log to your next reply.
------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 11:16 AM   #17 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\windows\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TrackPointSrv" = ""C:\Program Files\Lenovo\TrackPoint\tp4serv.exe"" ["Lenovo Group Limited"]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"AwaySch" = ""C:\Program Files\Lenovo\AwayTask\AwaySch.EXE"" ["Lenovo Group Limited"]
"TpShocks" = "TpShocks.exe" ["Lenovo."]
"TPKMAPHELPER" = ""C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" -helper" ["Lenovo"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"PWRMGRTR" = "rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor" [MS]
"BLOG" = "rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog" [MS]
"EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["Lenovo Group Ltd."]
"LPManager" = "C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" ["Lenovo Group Limited"]
"ACTray" = "C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" ["Lenovo "]
"ACWLIcon" = "C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" ["Lenovo "]
"SoundMAXPnP" = ""C:\Program Files\Analog Devices\Core\smax4pnp.exe"" ["Analog Devices, Inc."]
"SynTPLpr" = ""C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"" ["Synaptics, Inc."]
"SynTPEnh" = ""C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"" ["Synaptics, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"LPMailChecker" = "C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe" ["Lenovo Group Limited"]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard"]
"TVT Scheduler Proxy" = "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" ["Lenovo Group Limited"]
"TPHOTKEY" = "C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" ["Lenovo Group Limited"]
"ShStatEXE" = ""C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE" ["McAfee, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey" ["McAfee, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"74b94730" = "rundll32.exe "C:\windows\system32\hikemavi.dll",b" [MS]
"CPM778a74ac" = "Rundll32.exe "c:\windows\system32\jilorako.dll",a" [MS]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0347C33E-8762-4905-BF09-768834316C61}\(Default) = "HP Print Enhancer"
-> {HKLM...CLSID} = "HP Print Enhancer"
\InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll" ["Hewlett-Packard Co."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy"
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll" ["McAfee, Inc."]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]
{f06eab26-5f05-4982-a5c7-20195e8e82b2}\(Default) = "{2b28e8e5-9102-7c5a-2894-50f562bae60f}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\windows\system32\erujwk.dll" [null data]
{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\(Default) = "HP Smart BHO Class"
-> {HKLM...CLSID} = "HP Smart BHO Class"
\InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll" ["Hewlett-Packard Co."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor"
-> {HKLM...CLSID} = "Monitor Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btncopy.dll" ["Broadcom Corporation."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ThinkVantage\SMA\7z\7-zip.dll" ["Igor Pavlov"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\BTNEIG~1.DLL" ["Broadcom Corporation."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" = "STS"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\windows\system32\jilorako.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
"SSODL" = "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\windows\system32\jilorako.dll" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Notification Packages" = "scecli"|"ACGina"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> ACNotify\DLLName = "ACNotify.dll" [file not found]
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<<!>> tpfnf2\DLLName = "C:\Program Files\Lenovo\HOTKEY\notifyf2.dll" [null data]
<<!>> tphotkey\DLLName = "C:\Program Files\Lenovo\HOTKEY\tphklock.dll" ["Lenovo Group Limited"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan Enterprise\shext.dll" ["McAfee, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan Enterprise\shext.dll" ["McAfee, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan Enterprise\shext.dll" ["McAfee, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Desktop Background.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Stoycho\Application Data\Mozilla\Firefox\Desktop Background.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\windows\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay8VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\realplay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\realplay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\realplay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\realplay.exe" /autoplay "%1"" ["RealNetworks, Inc."]


Startup items in "Stoycho" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Bluetooth" -> shortcut to: "C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["Avanquest Software "]


Enabled Scheduled Tasks:
------------------------

"PMTask" -> launches: "C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-12650"
"Script" = "C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm" [null data]

{DDE87865-83C5-48C4-8357-2F5B1AA84522}\
"ButtonText" = "HP Smart Select"
"CLSIDExtension" = "{DDE87865-83C5-48c4-8357-2F5B1AA84522}"
-> {HKLM...CLSID} = "ClipBookBtn Class"
\InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll" ["Hewlett-Packard Co."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ac Profile Manager Service, AcPrfMgrSvc, "C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe" ["Lenovo "]
Access Connections Main Service, AcSvc, "C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe" ["Lenovo "]
Bluetooth Service, btwdins, "C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\system32\brsvc01a.exe" ["brother Industries Ltd"]
IBM KCU Service, TpKmpSVC, "C:\WINDOWS\system32\TpKmpSVC.exe" [null data]
Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
IPS Core Service, IPSSVC, "C:\windows\system32\IPSSVC.EXE" ["Lenovo Group Limited"]
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"" [MS]
McAfee Framework Service, McAfeeFramework, ""C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart" ["McAfee, Inc."]
McAfee McShield, McShield, ""C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe"" ["McAfee, Inc."]
McAfee Task Manager, McTaskManager, ""C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe"" ["McAfee, Inc."]
Net Driver HPZ12, Net Driver HPZ12, "C:\windows\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"] }
Pml Driver HPZ12, Pml Driver HPZ12, "C:\windows\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"] }
Power Manager DBC Service, Power Manager DBC Service, "C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE" [empty string]
System Update, SUService, "c:\program files\lenovo\system update\suservice.exe" [null data]
ThinkPad HDD APS Logging Service, TPHDEXLGSVC, "System32\TPHDEXLG.exe" ["Lenovo."]
ThinkPad PM Service, IBMPMSVC, "C:\windows\system32\ibmpmsvc.exe" ["Lenovo"]
ThinkVantage Registry Monitor Service, ThinkVantage Registry Monitor Service, ""C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe"" ["Lenovo Group Limited"]
tp4serv, tp4serv, "C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE" ["Lenovo Group Limited"]
TVT Scheduler, TVT Scheduler, ""C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe"" ["Lenovo Group Limited"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\windows\system32\svchost.exe -k WudfServiceGroup" {"C:\windows\System32\WUDFSvc.dll" [MS]}
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PCL hpz3l5mu\Driver = "hpz3l5mu.dll" ["Hewlett-Packard Company"]


---------- (launch time: 2009-03-15 12:10:24)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 128 seconds.
---------- (total run time: 178 seconds)
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 12:21 PM   #18 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,538
OS: XP SP3


Re: trojan removal
Hello again, zokoloto.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/355474-trojan-removal.html#post2023116

DDS::
AppInit_DLLs: erujwk.dll c:\windows\system32\jilorako.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jilorako.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\jilorako.dll

Collect::
c:\windows\system32\hikemavi.dll
c:\windows\system32\jilorako.dll
c:\windows\system32\erujwk.dll
c:\windows\system32\logomafe.dll
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If you do not get a message box, please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

C:\CF-Submit.htm

Please follow the instructions for submitting the file for analysis and let me know it was submitted.

------------------------------------------------------
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 12:52 PM   #19 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 14
OS: windows xp service pack 3


Re: trojan removal
I had to follow your instructions for manually submitting the file from earlier, but it was submitted successfully. The error in installing the recovery console says that the "boot partition could not be enumerated correctly" I don't know if that is something that is preventing combofix from completely removing my problem, but you had asked what the error was.

ComboFix 09-03-14.02 - Stoycho 2009-03-15 13:35:06.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.1427 [GMT -5:00]
Running from: c:\documents and settings\Stoycho\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stoycho\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\erujwk.dll
c:\windows\system32\hikemavi.dll
c:\windows\system32\jilorako.dll
c:\windows\system32\logomafe.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-13 11:08 . 2009-03-13 11:08 <DIR> d-------- c:\documents and settings\Stoycho\(null)
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-11 00:33 . 2009-03-12 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 22:51 . 2009-03-10 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-03-10 22:50 . 2009-03-10 22:50 <DIR> d-------- c:\program files\Yahoo! Games
2009-03-10 22:48 . 2009-03-10 22:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-10 22:47 . 2009-03-10 22:47 <DIR> d-------- c:\program files\Java
2009-03-09 16:21 . 2009-03-09 16:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 17:27 --------- d-----w c:\documents and settings\Stoycho\Application Data\HPAppData
2009-03-11 15:32 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 04:56 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-21 22:37 --------- d-----w c:\program files\McAfee
2009-01-21 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-21 22:36 --------- d-----w c:\program files\Common Files\McAfee
2009-01-21 02:21 --------- d-----w c:\documents and settings\Stoycho\Application Data\Malwarebytes
2009-01-21 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 1.39.10.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-15 18:37:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2007-11-08 92960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-10-27 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 185896]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-20 487424]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-08-18 604776]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-27 50688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 10:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 13:14 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-10-27 03:57 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\TmUnitedForever\\TmForever.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Voip\\Communicator\\Communicator.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-12-12 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-12-12 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-12-10 4442]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [2008-09-27 94208]
R2 tp4serv;tp4serv;c:\program files\Lenovo\TrackPoint\tp4servinst.exe [2007-11-08 35616]
S3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\drivers\a016bus.sys [2008-09-24 83880]
S3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\drivers\a016mdfl.sys [2008-09-24 15016]
S3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\drivers\a016mdm.sys [2008-09-24 110504]
S3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\a016mgmt.sys [2008-09-24 104488]
S3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\drivers\a016obex.sys [2008-09-24 100648]
S3 D100IB;D100IB;c:\windows\system32\drivers\D100IB5.SYS [2007-12-07 117760]
S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-04-26 22568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2e765c-9769-11dd-940d-001e4cf2ff80}]
\Shell\AutoRun\command - wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-15 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-09-25 01:47]
.
- - - - ORPHANS REMOVED - - - -

BHO-{f06eab26-5f05-4982-a5c7-20195e8e82b2} - c:\windows\system32\erujwk.dll
HKLM-Run-74b94730 - c:\windows\system32\hikemavi.dll
HKLM-Run-CPM778a74ac - c:\windows\system32\jilorako.dll


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Stoycho\Application Data\Mozilla\Firefox\Profiles\qs2q3rro.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 13:38:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(984)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
.
**************************************************************************
.
Completion time: 2009-03-15 13:42:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-15 18:42:45
ComboFix2.txt 2009-03-14 21:47:51
ComboFix3.txt 2009-03-14 20:45:55
ComboFix4.txt 2009-03-14 17:56:34
ComboFix5.txt 2009-03-15 18:33:12

Pre-Run: 45,434,908,672 bytes free
Post-Run: 45,417,869,312 bytes free

221 --- E O F --- 2009-03-13 04:02:36
zokoloto is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 01:20 PM   #20 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 10,538
OS: XP SP3


Re: trojan removal
Thanks for submitting the file.

Nothing is showing in your logs again. Let me know how your system behaves or if McAfee detects anything.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 07:47 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85