BleepingComputer.com: Infected With Virtumonde

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Infected With Virtumonde

#1 User is offline   virtualinsanity 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 10-June 08

Posted 10 June 2008 - 05:10 PM

My pc been infected by Virtumonde and ad popups today. Symptoms include Firefox and ie7 extremely slow as well as ad popups every few seconds.

Spybot picked up Virtumonde and tried removing it unsuccessfully.

After following instructions on this forum, I have run first Vundo and then VirtumundoBeGone in Safe Mode and it has made a difference but pc is still unusable - CPU% really high, and browsers unusable. Popups still happening. I tried running Kaspersky Online Scanner but it kept on crashing before 1% - wasted a day on this now - and desperate to get it sorted - any help would be really appreciated!

Thanks

My DSS report:

Deckard's System Scanner v20071014.68
Run by GB033796 on 2008-06-10 22:31:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-10 22:31:31
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\IBM\Mobility Client\artstartsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\C4ebreg\c4ebreg.exe
C:\sdwork\issimsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\cmd.exe
C:\notes\ntmulti.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\IBM\tivoli\dcd\client\ISSI\_jvm\jre\bin\java.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\drivers\ldlcserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.2.24\pmonmh.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\C4ebreg\isamtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\IBM\My Help\MyHelp.exe
C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe
C:\Documents and Settings\Administrator\Application Data\U3\0000184AA471A694\LaunchPad.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/download/standardsoftware/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\epuysgfu.dll
O2 - BHO: (no name) - {60965FD8-1FDE-4BD6-990A-62535B57B9A5} - C:\WINDOWS\system32\jkkJcAsp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A1E72E3E-347E-45EE-B703-848A24A434BB} - C:\WINDOWS\system32\yayvusqp.dll (file missing)
O2 - BHO: {e2e6db24-0b89-16ba-89b4-7579d933db4f} - {f4bd339d-9757-4b98-ab61-98b042bd6e2e} - C:\WINDOWS\system32\tyuypnpd.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [MyHelpService] C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\delaystart.exe
O4 - HKLM\..\Run: [ipmcmu] c:\Program Files\IBM\IPM Client Migration Utility\ipmcmu.exe "c:\Program Files\IBM\IPM Client Migration Utility"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [pmonmh] C:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.24/pmonmh.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [defergui] c:/sdwork/defergui.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\C4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [Isamtray] "C:\Program Files\C4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [6806ab12] rundll32.exe "C:\WINDOWS\system32\josxpfcn.dll",b
O4 - HKLM\..\Run: [BM6b35988e] Rundll32.exe "C:\WINDOWS\system32\kcnhtrmv.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O11 - Options Group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: SearchList = manch.uk.ibm.com,uk.ibm.com,ibm.com
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: SearchList = manch.uk.ibm.com,uk.ibm.com,ibm.com
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: ACNotify - C:\WINDOWS\system32\ACNotify.dll (file missing)
O20 - Winlogon Notify: atmgrtok - C:\WINDOWS\system32\atmgrtok.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\drivers\appnnode.exe
O23 - Service: Mobility Client (ArtourService) - IBM - C:\Program Files\IBM\Mobility Client\artsvc.exe
O23 - Service: IBM Mobility Client Start Utility (artstartsvc) - Unknown owner - C:\Program Files\IBM\Mobility Client\artstartsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM DCD Standard Client (DCDClient-ISSI) (DCDClient-ISSI) - Unknown owner - C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - Unknown owner - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\C4ebreg\c4ebreg.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Corp. - C:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: My Help (MyHelp) - Unknown owner - C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Network Client\NetCfgSv.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\system32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSvc.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\drivers\trcboot.exe


--
End of file - 15785 bytes

-- Files created between 2008-05-10 and 2008-06-10 -----------------------------

2008-06-10 19:16:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-10 18:12:34 147456 --a------ C:\WINDOWS\system32\josxpfcn.dll
2008-06-10 18:09:33 92160 --a------ C:\WINDOWS\system32\epuysgfu.dll
2008-06-10 18:06:38 157184 --a------ C:\WINDOWS\system32\kcnhtrmv.dll
2008-06-10 18:03:32 490853 --ahs---- C:\WINDOWS\system32\pqsuvyay.ini2
2008-06-10 14:05:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 13:42:10 0 d-------- C:\VundoFix Backups
2008-06-10 11:26:04 109056 --a------ C:\WINDOWS\system32\tyuypnpd.dll
2008-06-10 11:26:02 92160 -----n--- C:\WINDOWS\system32\panmprlm.dll
2008-06-10 11:23:49 100352 --a------ C:\WINDOWS\system32\vewkwfhp.dll
2008-06-10 11:19:33 100352 --a------ C:\WINDOWS\system32\sxtfeqgy.dll
2008-06-10 09:58:43 109056 --a------ C:\WINDOWS\system32\napfyvfv.dll
2008-06-10 09:49:39 100352 --a------ C:\WINDOWS\system32\shlonjso.dll
2008-06-09 09:58:10 92160 --a------ C:\WINDOWS\system32\ueqbndsm.dll
2008-06-09 09:55:10 109056 --a------ C:\WINDOWS\system32\xpqvtoaa.dll
2008-06-09 09:49:10 100864 --a------ C:\WINDOWS\system32\fkpuxftg.dll
2008-06-08 23:28:24 0 d-------- C:\Documents and Settings\All Users\Application Data\DivoGames
2008-06-08 23:26:29 0 d-------- C:\WINDOWS\The Tuttles - Madcap Misadventures
2008-06-08 21:13:07 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-08 21:13:06 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 09:57:14 108544 --a------ C:\WINDOWS\system32\jpvckghg.dll
2008-06-07 09:43:35 507918 --ahs---- C:\WINDOWS\system32\psAcJkkj.ini2
2008-06-06 20:41:04 108544 --a------ C:\WINDOWS\system32\petpjnxi.dll
2008-06-06 20:32:05 100864 --a------ C:\WINDOWS\system32\ndnordlm.dll
2008-06-02 20:35:27 493045 --ahs---- C:\WINDOWS\system32\MVuDLkkj.ini2
2008-05-19 01:29:56 78468 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-19 00:24:29 0 d-------- C:\Program Files\Apple Software Update
2008-05-19 00:24:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-18 22:55:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer


-- Find3M Report ---------------------------------------------------------------

2008-06-10 22:30:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-10 21:58:34 0 d-------- C:\Program Files\C4ebreg
2008-06-10 20:30:24 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-10 19:22:29 40 --a------ C:\WINDOWS\system32\profile.dat
2008-06-10 16:19:38 0 d-------- C:\Program Files\Java
2008-06-10 12:03:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\SolSuite
2008-05-27 16:41:29 24677 --a------ C:\Documents and Settings\Administrator\Application Data\Comma Separated Values (Windows).ADR
2008-05-15 00:00:24 3750 --a------ C:\WINDOWS\mozver.dat
2008-05-02 15:35:47 57344 --a------ C:\WINDOWS\isamunin.exe <Not Verified; IBM Corp.; >
2008-04-21 15:21:02 0 d-------- C:\Program Files\Windows Desktop Search
2008-04-21 15:17:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-14 23:04:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\EA


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
10/06/2008 18:09 92160 --a------ C:\WINDOWS\system32\epuysgfu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60965FD8-1FDE-4BD6-990A-62535B57B9A5}]
C:\WINDOWS\system32\jkkJcAsp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1E72E3E-347E-45EE-B703-848A24A434BB}]
C:\WINDOWS\system32\yayvusqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f4bd339d-9757-4b98-ab61-98b042bd6e2e}]
10/06/2008 11:26 109056 --a------ C:\WINDOWS\system32\tyuypnpd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 06:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 06:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 06:00]
"ISAM SMT Service"="C:\Program Files\C4ebreg\isamsmt.exe" []
"stgclean"="c:\sdwork\w32main2.exe" [14/04/2008 12:44]
"Tpam.exe"="C:\Program Files\IBM\Personal Communications\tpam.exe" [06/09/2005 10:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [19/07/2006 20:26]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe" [27/09/2006 21:33]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [14/12/2005 01:00]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [14/12/2005 01:00]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [14/12/2005 01:00]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [20/05/2005 01:00]
"ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [27/05/2008 12:13]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [14/02/2006 01:00]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [14/02/2006 01:00]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [09/03/2007 01:00]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [13/04/2007 06:15]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [13/04/2007 06:15]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [17/05/2007 12:41]
"@"="" []
"TpShocks"="TpShocks.exe" [29/03/2007 19:40 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [17/10/2005 02:11 C:\WINDOWS\system32\TP4EX.exe]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [10/04/2007 08:03]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [09/01/2007 17:28]
"MyHelpService"="C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\delaystart.exe" [19/12/2006 14:44]
"ipmcmu"="c:\Program Files\IBM\IPM Client Migration Utility\ipmcmu.exe" [02/10/2007 12:53]
"PSQLLauncher"="C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe" []
"pmonmh"="C:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.24/pmonmh.exe" [02/05/2007 19:38]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12/01/2006 20:52]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [17/05/2007 12:46]
"defergui"="c:/sdwork/defergui.exe" [03/03/2008 15:18 c:\sdwork\defergui.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 16:17]
"C4EBReg"="C:\Program Files\C4ebreg\c4ebreg.exe" [06/02/2008 16:58]
"Isamtray"="C:\Program Files\C4ebreg\isamtray.exe" [02/05/2008 15:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"6806ab12"="C:\WINDOWS\system32\josxpfcn.dll" [10/06/2008 18:12]
"BM6b35988e"="C:\WINDOWS\system32\kcnhtrmv.dll" [10/06/2008 18:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [04/10/2007 22:07:25]
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [01/08/2006 20:25:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 17/05/2007 12:41 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok]
atmgrtok.dll 06/09/2005 10:07 53248 C:\Program Files\IBM\Personal Communications\atmgrtok.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
pcsinst.dll 06/09/2005 19:43 49152 C:\WINDOWS\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 06/09/2006 01:00 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 14/12/2006 01:00 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayvusqp
"Notification Packages"= scecli ACGina


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcd00112-710f-11dc-b87c-020255061358}]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-06-10 23:05:19 ------------

Attached File(s)

  • Attached File  VBG.TXT (5.74K)
    Number of downloads: 34

#2 User is offline   virtualinsanity 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 10-June 08

Posted 11 June 2008 - 06:08 AM

Please - I have a genuine issue with removing Virtumonde from my work laptop - that will teach me to lend it to my brother-in-law who probably spent all weekend browsing for p0rn instead of research for his thesis!!

OK, OK I know, I committed the cardinal sin - never again!! But if anyone can help me I literally cannot do any work at moment and have presentations to prepare for today and tomorrow, and apart from anything else, am likely to get sacked if I can't get this cleaned up!!

Sorry to bump the message, only I see so many others posted since mine who are getting immediate help - maybe mine's too difficult to resolve?? And everyone just goes after the easier ones first?? I don't know how this forum works... But if it's too difficult for anyone to solve, then please advise, and I will try another forum...

Thanks!

Virtuomonde Thread

#3 User is offline   Buckeye_Sam 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,382
  • Joined: 23-December 04
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 11 June 2008 - 08:53 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 User is offline   virtualinsanity 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 10-June 08

Posted 11 June 2008 - 09:50 AM

Hi Sam! Really appreciate your help on this one thanks!

Just finished ComboFix as instructed - here is the log!

ComboFix 08-06-10.5 - GB033796 2008-06-11 15:32:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.523 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6b35988e.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bqwfnylw.ini
C:\WINDOWS\system32\epuysgfu.dll
C:\WINDOWS\system32\fkpuxftg.dll
C:\WINDOWS\system32\josxpfcn.dll
C:\WINDOWS\system32\jpvckghg.dll
C:\WINDOWS\system32\jvqrhmyx.ini
C:\WINDOWS\system32\kcnhtrmv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlrpmnap.ini
C:\WINDOWS\system32\mqsbrdua.ini
C:\WINDOWS\system32\msdnbqeu.ini
C:\WINDOWS\system32\MVuDLkkj.ini
C:\WINDOWS\system32\MVuDLkkj.ini2
C:\WINDOWS\system32\napfyvfv.dll
C:\WINDOWS\system32\ncfpxsoj.ini2
C:\WINDOWS\system32\ncfpxsoj.tmp
C:\WINDOWS\system32\ndnordlm.dll
C:\WINDOWS\system32\panmprlm.dll
C:\WINDOWS\system32\petpjnxi.dll
C:\WINDOWS\system32\pqsuvyay.ini
C:\WINDOWS\system32\pqsuvyay.ini2
C:\WINDOWS\system32\psAcJkkj.ini
C:\WINDOWS\system32\psAcJkkj.ini2
C:\WINDOWS\system32\shlonjso.dll
C:\WINDOWS\system32\sxtfeqgy.dll
C:\WINDOWS\system32\tyuypnpd.dll
C:\WINDOWS\system32\ueqbndsm.dll
C:\WINDOWS\system32\vewkwfhp.dll
C:\WINDOWS\system32\wreaenbv.ini
C:\WINDOWS\system32\xceuckmb.ini
C:\WINDOWS\system32\xpqvtoaa.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-11 15:37 . 2008-05-02 15:32 7,012 --------- C:\WINDOWS\system32\drivers\PMEMNT.SYS
2008-06-11 13:07 . 2008-06-11 13:13 <DIR> d-------- C:\Program Files\pdf995
2008-06-11 13:07 . 2008-06-11 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-11 13:07 . 2008-06-11 13:07 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-06-11 13:07 . 2008-06-11 13:07 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-06-11 13:07 . 2008-06-11 13:07 25 --a------ C:\WINDOWS\wpd99.drv
2008-06-10 20:15 . 2008-06-10 20:15 <DIR> d-------- C:\Deckard
2008-06-10 15:07 . 2008-06-10 20:05 268 --a------ C:\WINDOWS\wininit.ini
2008-06-10 14:05 . 2008-06-10 14:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-10 14:05 . 2008-06-10 15:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 13:42 . 2008-06-10 13:42 <DIR> d-------- C:\VundoFix Backups
2008-06-08 23:28 . 2008-06-08 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DivoGames
2008-06-08 21:13 . 2008-06-08 21:13 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-08 21:13 . 2008-06-08 22:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 02:34 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.1
2008-06-03 01:56 . 2008-06-03 02:45 68,276 --------- C:\WINDOWS\hpoins05.dat.temp
2008-06-03 01:56 . 2005-07-29 02:28 19,696 --------- C:\WINDOWS\hpomdl05.dat.temp
2008-06-02 20:30 . 2008-06-02 20:30 58,880 --a------ C:\WINDOWS\system32\xxyxUkjK.dll.vir
2008-05-28 01:17 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-28 01:17 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-19 01:29 . 2008-05-19 23:11 78,468 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-18 22:55 . 2008-05-18 22:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 14:37 --------- d-----w C:\Program Files\C4ebreg
2008-06-11 12:46 --------- d-----w C:\Program Files\Java
2008-06-11 12:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-11 12:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-11 11:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-06-11 09:54 --------- d-----w C:\Program Files\Windows Live
2008-06-10 11:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SolSuite
2008-05-02 14:35 57,344 ----a-w C:\WINDOWS\isamunin.exe
2008-04-27 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\IGS
2008-04-21 14:21 --------- d-----w C:\Program Files\Windows Desktop Search
2008-04-21 14:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 22:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EA
2008-04-14 20:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\EA
2008-01-22 22:45 66,144 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 3,398 2008-02-20 23:38:54 C:\Program Files\IBM\tivoli\dcd\client\ISSI\bak\cds\ISXuninst1.bat.bak

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60965FD8-1FDE-4BD6-990A-62535B57B9A5}]
C:\WINDOWS\system32\jkkJcAsp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1E72E3E-347E-45EE-B703-848A24A434BB}]
C:\WINDOWS\system32\yayvusqp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 06:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00 455168]
"ISAM SMT Service"="C:\Program Files\C4ebreg\isamsmt.exe" [ ]
"stgclean"="c:\sdwork\w32main2.exe" [2008-04-14 12:44 272896]
"Tpam.exe"="C:\Program Files\IBM\Personal Communications\tpam.exe" [2005-09-06 10:07 28672]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 21:33 125168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-14 01:00 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-14 01:00 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-14 01:00 118784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 01:00 925696]
"ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2008-05-27 12:13 217600]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 01:00 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 01:00 512000]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 01:00 66176]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-04-13 06:15 196608]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-04-13 06:15 208896]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 12:41 126976]
"TpShocks"="TpShocks.exe" [2007-03-29 19:40 181808 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 02:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 08:03 58416]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 17:28 868352]
"MyHelpService"="C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\delaystart.exe" [2006-12-19 14:44 81920]
"ipmcmu"="c:\Program Files\IBM\IPM Client Migration Utility\ipmcmu.exe" [2007-10-02 12:53 204800]
"PSQLLauncher"="C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe" [ ]
"pmonmh"="C:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.24/pmonmh.exe" [2007-05-02 19:38 188416]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 12:46 413696]
"defergui"="c:/sdwork/defergui.exe" [2008-03-03 15:18 138752 c:\sdwork\defergui.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"C4EBReg"="C:\Program Files\C4ebreg\c4ebreg.exe" [2008-02-06 16:58 372736]
"Isamtray"="C:\Program Files\C4ebreg\isamtray.exe" [2008-05-02 15:35 253952]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-01 20:25:16 622653]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 2007-05-17 12:41 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok]
atmgrtok.dll 2005-09-06 10:07 53248 C:\Program Files\IBM\Personal Communications\atmgrtok.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
pcsinst.dll 2005-09-06 19:43 49152 C:\WINDOWS\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 01:00 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 01:00 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-04-13 06:15]
R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2005-09-06 10:07]
R2 artstartsvc;IBM Mobility Client Start Utility;C:\Program Files\IBM\Mobility Client\artstartsvc.exe [2007-04-02 16:39]
R2 DCDClient-ISSI;IBM DCD Standard Client (DCDClient-ISSI);C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe [2007-12-12 23:46]
R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2005-09-06 10:07]
R2 ISAMSvc;IBM Standard Asset Manager Service;"C:\Program Files\C4ebreg\c4ebreg.exe" [2008-02-06 16:58]
R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2005-09-06 10:07]
R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2005-09-06 10:07]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2005-09-06 10:07]
R3 ABVPN2K;Net Firewall Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2004-06-03 18:47]
R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2005-09-06 10:07]
R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2005-09-06 10:07]
R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2005-09-06 10:07]
R3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13:48]
R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2005-09-06 10:07]
R3 pdlnacom;PDLC Adapter -- COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2005-09-06 10:07]
R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2005-09-06 10:07]
R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2005-09-06 10:07]
R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2005-09-06 10:07]
R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2005-09-06 10:07]
R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2005-09-06 10:07]
R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2005-09-06 10:07]
R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2005-09-06 10:07]
R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2005-09-06 10:07]
R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2005-09-06 10:07]
R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2005-09-06 10:07]
R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2005-09-06 10:07]
R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2005-09-06 10:07]
R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2005-09-06 10:07]
R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2005-09-06 10:07]
R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2005-09-06 10:07]
R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2005-09-06 10:07]
R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2005-09-06 10:07]
R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2005-09-06 10:07]
R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2005-09-06 10:07]
R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2005-09-06 10:07]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-11-15 04:00]
S2 MyHelp;My Help;C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe [2006-12-11 11:48]
S3 wcndis;Mobility Client Virtual Miniport;C:\WINDOWS\system32\DRIVERS\wcndis.sys [2006-01-30 08:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcd00112-710f-11dc-b87c-020255061358}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 14:39:56 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 15:39:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\notes\ntmulti.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\drivers\ldlcserv.exe
C:\Program Files\IBM\tivoli\dcd\client\ISSI\_jvm\jre\bin\java.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.2.24\pmonmh.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\IBM\My Help\MyHelp.exe
C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-06-11 15:46:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-11 14:46:28

Pre-Run: 26,276,179,968 bytes free
Post-Run: 26,287,284,224 bytes free

282

#5 User is offline   Buckeye_Sam 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,382
  • Joined: 23-December 04
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 11 June 2008 - 11:32 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\xxyxUkjK.dll.vir

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60965FD8-1FDE-4BD6-990A-62535B57B9A5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1E72E3E-347E-45EE-B703-848A24A434BB}]

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===============



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer

  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:

  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 User is offline   virtualinsanity 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 10-June 08

Posted 11 June 2008 - 11:51 AM

Hey thanks Sam!

Just about to run Kaspersky...
In the meantime, the log from the 2nd run of ComboFix

Thanks, Andy...

----------------------------------------------------------------------------------------------------------------

ComboFix 08-06-10.5 - GB033796 2008-06-11 17:44:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.400 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript
* Created a new restore point

FILE ::
C:\WINDOWS\system32\xxyxUkjK.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\xxyxUkjK.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-11 15:37 . 2008-05-02 15:32 7,012 --------- C:\WINDOWS\system32\drivers\PMEMNT.SYS
2008-06-11 13:07 . 2008-06-11 13:13 <DIR> d-------- C:\Program Files\pdf995
2008-06-11 13:07 . 2008-06-11 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-11 13:07 . 2008-06-11 13:07 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-06-11 13:07 . 2008-06-11 13:07 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-06-11 13:07 . 2008-06-11 13:07 25 --a------ C:\WINDOWS\wpd99.drv
2008-06-10 20:15 . 2008-06-10 20:15 <DIR> d-------- C:\Deckard
2008-06-10 15:07 . 2008-06-10 20:05 268 --a------ C:\WINDOWS\wininit.ini
2008-06-10 14:05 . 2008-06-10 14:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-10 14:05 . 2008-06-10 15:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 13:42 . 2008-06-10 13:42 <DIR> d-------- C:\VundoFix Backups
2008-06-08 23:28 . 2008-06-08 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DivoGames
2008-06-08 21:13 . 2008-06-08 21:13 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-08 21:13 . 2008-06-08 22:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 02:34 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.1
2008-06-03 01:56 . 2008-06-03 02:45 68,276 --------- C:\WINDOWS\hpoins05.dat.temp
2008-06-03 01:56 . 2005-07-29 02:28 19,696 --------- C:\WINDOWS\hpomdl05.dat.temp
2008-05-28 01:17 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-28 01:17 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-19 01:29 . 2008-05-19 23:11 78,468 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-18 22:55 . 2008-05-18 22:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 14:37 --------- d-----w C:\Program Files\C4ebreg
2008-06-11 12:46 --------- d-----w C:\Program Files\Java
2008-06-11 12:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-11 12:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-11 11:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-06-11 09:54 --------- d-----w C:\Program Files\Windows Live
2008-06-10 11:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SolSuite
2008-05-02 14:35 57,344 ----a-w C:\WINDOWS\isamunin.exe
2008-04-27 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\IGS
2008-04-21 14:21 --------- d-----w C:\Program Files\Windows Desktop Search
2008-04-21 14:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 22:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EA
2008-04-14 20:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\EA
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 09:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-01-22 22:45 66,144 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2004-09-29 16:03 5,744 ----a-w C:\WINDOWS\inf\removeBRMS.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-06-11_15.46.08.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-11 14:48:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_da0.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 3,398 2008-02-20 23:38:54 C:\Program Files\IBM\tivoli\dcd\client\ISSI\bak\cds\ISXuninst1.bat.bak

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 06:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00 455168]
"ISAM SMT Service"="C:\Program Files\C4ebreg\isamsmt.exe" [ ]
"stgclean"="c:\sdwork\w32main2.exe" [2008-04-14 12:44 272896]
"Tpam.exe"="C:\Program Files\IBM\Personal Communications\tpam.exe" [2005-09-06 10:07 28672]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-27 21:33 125168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-14 01:00 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-14 01:00 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-14 01:00 118784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 01:00 925696]
"ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2008-05-27 12:13 217600]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 01:00 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 01:00 512000]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 01:00 66176]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-04-13 06:15 196608]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-04-13 06:15 208896]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 12:41 126976]
"TpShocks"="TpShocks.exe" [2007-03-29 19:40 181808 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 02:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 08:03 58416]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 17:28 868352]
"MyHelpService"="C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\delaystart.exe" [2006-12-19 14:44 81920]
"ipmcmu"="c:\Program Files\IBM\IPM Client Migration Utility\ipmcmu.exe" [2007-10-02 12:53 204800]
"PSQLLauncher"="C:\Program Files\Thinkvantage Fingerprint Software\launcher.exe" [ ]
"pmonmh"="C:\Program Files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.24/pmonmh.exe" [2007-05-02 19:38 188416]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 12:46 413696]
"defergui"="c:/sdwork/defergui.exe" [2008-03-03 15:18 138752 c:\sdwork\defergui.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"C4EBReg"="C:\Program Files\C4ebreg\c4ebreg.exe" [2008-02-06 16:58 372736]
"Isamtray"="C:\Program Files\C4ebreg\isamtray.exe" [2008-05-02 15:35 253952]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-01 20:25:16 622653]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll 2007-05-17 12:41 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok]
atmgrtok.dll 2005-09-06 10:07 53248 C:\Program Files\IBM\Personal Communications\atmgrtok.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
pcsinst.dll 2005-09-06 19:43 49152 C:\WINDOWS\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 01:00 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 01:00 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.j2se.win32.x86_1.5.0.SR6-200802132253\\jre\\bin\\notes2w.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-02 18:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-02 18:47]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2007-04-02 12:24]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-04-13 06:15]
R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2005-09-06 10:07]
R2 artstartsvc;IBM Mobility Client Start Utility;C:\Program Files\IBM\Mobility Client\artstartsvc.exe [2007-04-02 16:39]
R2 DCDClient-ISSI;IBM DCD Standard Client (DCDClient-ISSI);C:\Program Files\IBM\tivoli\dcd\client\ISSI\cds\CDSWinSrv.exe [2007-12-12 23:46]
R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2005-09-06 10:07]
R2 ISAMSvc;IBM Standard Asset Manager Service;"C:\Program Files\C4ebreg\c4ebreg.exe" [2008-02-06 16:58]
R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2005-09-06 10:07]
R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2005-09-06 10:07]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2005-09-06 10:07]
R3 ABVPN2K;Net Firewall Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2004-06-03 18:47]
R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2005-09-06 10:07]
R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2005-09-06 10:07]
R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2005-09-06 10:07]
R3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13:48]
R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2005-09-06 10:07]
R3 pdlnacom;PDLC Adapter -- COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2005-09-06 10:07]
R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2005-09-06 10:07]
R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2005-09-06 10:07]
R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2005-09-06 10:07]
R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2005-09-06 10:07]
R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2005-09-06 10:07]
R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2005-09-06 10:07]
R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2005-09-06 10:07]
R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2005-09-06 10:07]
R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2005-09-06 10:07]
R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2005-09-06 10:07]
R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2005-09-06 10:07]
R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2005-09-06 10:07]
R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2005-09-06 10:07]
R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2005-09-06 10:07]
R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2005-09-06 10:07]
R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2005-09-06 10:07]
R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2005-09-06 10:07]
R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2005-09-06 10:07]
R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2005-09-06 10:07]
R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2005-09-06 10:07]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-11-15 04:00]
S2 MyHelp;My Help;C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe [2006-12-11 11:48]
S3 wcndis;Mobility Client Virtual Miniport;C:\WINDOWS\system32\DRIVERS\wcndis.sys [2006-01-30 08:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcd00112-710f-11dc-b87c-020255061358}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 14:39:56 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 17:46:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
Completion time: 2008-06-11 17:48:33
ComboFix-quarantined-files.txt 2008-06-11 16:48:12
ComboFix2.txt 2008-06-11 14:46:34

Pre-Run: 26,180,861,952 bytes free
Post-Run: 26,231,758,848 bytes free

212

#7 User is offline   virtualinsanity 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 10-June 08

Posted 11 June 2008 - 02:24 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, June 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 11, 2008 16:41:50
Records in database: 852182
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 97164
Threat name: 5
Infected objects: 23
Suspicious objects: 0
Duration of the scan: 02:10:53


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06FC0000\4EFCECC1.VBN Infected: Trojan-Downloader.Win32.Zlob.mqa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06FC0001\4EFCEF71.VBN Infected: Trojan-Downloader.Win32.Zlob.mqa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06FC0002\4EFCF1D6.VBN Infected: Trojan-Downloader.Win32.Zlob.mqa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06FC0003\4EFCF430.VBN Infected: Trojan-Downloader.Win32.Zlob.mqa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C740000\4C7CE2A6.VBN Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F300000\4F7A497D.VBN Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F300002\4F7A5499.VBN Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\epuysgfu.dll.vir Infected: Trojan.Win32.Obfuscated.auw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fkpuxftg.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\josxpfcn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jpvckghg.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kcnhtrmv.dll.vir Infected: Trojan.Win32.Monder.mx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\napfyvfv.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ndnordlm.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\panmprlm.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\petpjnxi.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\shlonjso.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sxtfeqgy.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tyuypnpd.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ueqbndsm.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vewkwfhp.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xpqvtoaa.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyxUkjK.dll.vir.vir Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.

#8 User is offline   virtualinsanity 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 10-June 08

Posted 12 June 2008 - 10:17 AM

So is that it Sam please? does my OS look clean now? No other actions?
I have tried using it today, and it seems ok...
Pls advise if there's anything else I need to do
thanks!
andy

#9 User is offline   Buckeye_Sam 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,382
  • Joined: 23-December 04
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 12 June 2008 - 03:25 PM

Yep, you're looking good!


Let's get rid of Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image


  • When shown the disclaimer, Select "2"



=================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above


  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt

      • Change the Download unsigned ActiveX controls to Disable

      • Change the Initialize and script ActiveX controls not marked as safe to Disable

      • Change the Installation of desktop items to Prompt

      • Change the Launching programs and files in an IFRAME to Prompt

      • Change the Navigate sub-frames across different domains to Prompt

      • When all these settings have been made, click on the OK button.

      • If it prompts you as to whether or not you want to save the settings, press the Yes button.

    • Next press the Apply button and then the OK to exit the Internet Properties page.


  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources


  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls


  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware


  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 User is offline   Buckeye_Sam 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,382
  • Joined: 23-December 04
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 23 June 2008 - 04:04 PM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users