Please Help! Http://www.sysprotectionpage.com/ !

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Please Help! Http://www.sysprotectionpage.com/ !, Keep getting pup-ups and routed to http://www.sysprotectionpage.com/

Options

MatadorM83 View Member Profile	Jun 26 2006, 09:16 PM Post #1
Member Group: Members Posts: 22 Joined: 26-June 06 Member No.: 73,637	Hi, I am brand new here, and I apologize in advance if I am breaking any social rules by posting this here. I'm really scared right now and I could use some help. My work Laptop has been infected with what I think is Spywarequake, based on what I read on your site. The key annoyance is that everytime I open my IE browser, I get redirected to //www.sysprotectionpage.com . Also, I can not reset my home page, and also, TONS of annoying pop ups come onto my screen, ordering my to by spyware removal software. I am running Windows 2000 I have no idea how I got this and I am afraid I will get in big trouble at work. Here is my Hijack This log. If anyone can help me, I would appreciate this: Logfile of HijackThis v1.99.1 Scan saved at 6:17:17 PM, on 6/26/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\ibmpmsvc.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\S24EvMon.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvsservice.exe C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvslock.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Program Files\NavNT\rtvscan.exe C:\WINNT\system32\RegSrvc.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\System32\TPHDEXLG.EXE C:\WINNT\system32\TpKmpSVC.exe C:\WINNT\system32\UAService7.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\1XConfig.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\dcomcfg.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINNT\system32\TpShocks.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\WINNT\tppaldr.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINNT\system32\RunDll32.exe C:\WINNT\AGRSMMSG.exe C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\WINNT\system32\PRPCUI.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINNT\system32\TpScrLk.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\Program Files\TrojanHunter 4.5\THGuard.exe C:\WINNT\system32\MANTEC~1\javaw.exe C:\WINNT\system32\?icrosoft\fast.exe C:\Program Files\Trillian\trillian.exe C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\TP\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = MOMAISA:8080 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINNT\system32\hp100.tmp O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\qommkig.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe" O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe" O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe" O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TPKBDLED] C:\WINNT\system32\TpScrLk.exe O4 - HKLM\..\Run: [MSN Funny Images] imsngsr.exe O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe" O4 - HKCU\..\Run: [Ilth] "C:\WINNT\system32\MANTEC~1\javaw.exe" -vt yazb O4 - HKCU\..\Run: [Kfbs] C:\WINNT\system32\?icrosoft\fast.exe O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll O9 - Extra button: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe O16 - DPF: RaptisoftGameLoader - http://www.raptisoft.com/webgames/raptisoftgameloader.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136163434280 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://websidestory.webex.com/client/v_myw...bex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MUSEUM.MOMA.ORG O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MUSEUM.MOMA.ORG O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = MUSEUM.MOMA.ORG O20 - AppInit_DLLs: C:\WINNT\system32\wuauclt.dll C:\WINNT\system32\winword.dll C:\WINNT\system32\cmd.dll O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O20 - Winlogon Notify: qommkig - C:\WINNT\SYSTEM32\qommkig.dll O20 - Winlogon Notify: tpfnf2 - C:\WINNT\SYSTEM32\notifyf2.dll O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll O20 - Winlogon Notify: winmdw32 - winmdw32.dll (file missing) O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvslock.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe (file missing) O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.EXE O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe //Mod edit to modify hot link URL above. This post has been edited by KoanYorel: Jun 26 2006, 10:16 PM

miekiemoes View Member Profile	Jun 27 2006, 07:56 AM Post #2
Malware Killer Dog Group: HJT Team Posts: 18,700 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hello, It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. It is also important you don't miss a step and perform everything in the right order!! Go to start > controlpanel > software > add/remove programs and uninstall next if present: Oin Yazzle by Oin Purityscan by Oin Snowballwars by Oin Cowabanga by OIN or anything similar with Oin in it. If OIN not listed, download and run this uninstaller. Reboot when done! Really important! After reboot, Please download, install, and update Ewido anti-spyware Load Ewido and then click the Update tab at the top. Under Manual Update click Start update. After the update finishes (the status bar at the bottom will display "Update successful") Close ewido. Do not run it yet. * Download smitRem and save the file to your desktop. Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem. * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINNT\system32\hp100.tmp O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\qommkig.dll O4 - HKLM\..\Run: [MSN Funny Images] imsngsr.exe O4 - HKCU\..\Run: [Ilth] "C:\WINNT\system32\MANTEC~1\javaw.exe" -vt yazb O4 - HKCU\..\Run: [Kfbs] C:\WINNT\system32\?icrosoft\fast.exe O9 - Extra button: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Program Files\IEWatch\IEWatch.dll O16 - DPF: RaptisoftGameLoader - http://www.raptisoft.com/webgames/raptisoftgameloader.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab O20 - AppInit_DLLs: C:\WINNT\system32\wuauclt.dll C:\WINNT\system32\winword.dll C:\WINNT\system32\cmd.dll O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O20 - Winlogon Notify: qommkig - C:\WINNT\SYSTEM32\qommkig.dll O20 - Winlogon Notify: winmdw32 - winmdw32.dll (file missing) * Click on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer is closed when you click Fix Checked! Ignore the error you'll get in hijackthis. * Reboot into Safe Mode`: ( without networking support !) °To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key. * Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tab Click the "Delete Cookies" button Next to it, Click the "Delete Files" button When prompted, place a check in: "Delete all offline content", click OK * Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options. Click Privacy in the menu on the left side of the Options window. Click the Clear button located to the right of each option (History, Cookies, Cache). Click OK to close the Options window Alternatively, you can clear all information stored while browsing by clicking Clear All. A confirmation dialog box will be shown before clearing the information. * Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Press OK to remove them. Still in Safe Mode, load Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared. Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop). Close Ewido. * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. * Reboot back into Windows normal mode. * Perform an onlinescan with panda: (please use this scanner instead of any other scanner!) Panda Online - Once you are on the Panda site click the Scan your PC button - A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send - Select either Home User or Company - Click the big Scan Now button - If it wants to install an ActiveX component allow it - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) - When download is complete, click on Local Disks to start the scan - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the Panda scan report in your next reply along with a new HijackThis Log, the Ewidolog, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases) by using Add Reply. You'll need more than one reply to post all the logs. This post has been edited by miekiemoes: Jun 27 2006, 07:56 AM -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

MatadorM83 View Member Profile	Jun 27 2006, 09:59 AM Post #3
Member Group: Members Posts: 22 Joined: 26-June 06 Member No.: 73,637	THANK YOU! I will get right to work on this!

miekiemoes View Member Profile	Jun 27 2006, 10:07 AM Post #4
Malware Killer Dog Group: HJT Team Posts: 18,700 Joined: 18-February 05 From: Belgium Member No.: 12,408	Ok, I'll wait for your reply with the logs. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

MatadorM83 View Member Profile	Jun 27 2006, 11:44 AM Post #5
Member Group: Members Posts: 22 Joined: 26-June 06 Member No.: 73,637	Time to post some Logs... smitRem © log file version 3.0 by noahdfear Microsoft Windows 2000 [Version 5.00.2195] "IE"="6.0000" The current date is: Tue 06/27/2006 The current time is: 11:56:32.66 Running from C:\Documents and Settings\jgentile\Desktop\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! checking for drsmartload2 key drsmartload2 key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present AlfaCleaner uninstaller NOT present SpyFalcon uninstaller NOT present SpywareQuake uninstaller NOT present SpywareSheriff uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 524 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN!

MatadorM83 View Member Profile	Jun 27 2006, 11:46 AM Post #6
Member Group: Members Posts: 22 Joined: 26-June 06 Member No.: 73,637	--------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 12:32:18 PM 6/27/2006 + Scan result: C:\Documents and Settings\jgentile\Local Settings\Temp\!update.exe -> Adware.ClickSpring : Cleaned with backup (quarantined). C:\WINNT\system32\rundll32.dll.tcf -> Adware.PurityScan : Cleaned with backup (quarantined). HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined). C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored. ::Report end

miekiemoes View Member Profile	Jun 27 2006, 11:56 AM Post #7
Malware Killer Dog Group: HJT Team Posts: 18,700 Joined: 18-February 05 From: Belgium Member No.: 12,408	Can you also post the Panda log and a new hijackthislog? -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

MatadorM83 View Member Profile	Jun 27 2006, 12:04 PM Post #8
Member Group: Members Posts: 22 Joined: 26-June 06 Member No.: 73,637	Incident Status Location Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jgentile\Desktop\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jgentile\Desktop\smitRem.exe[smitRem/Process.exe] Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\jgentile\Local Settings\Temp\ctxad.exe[NDrv.dll] Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\Downloaded Program Files\5220062c5d06c1af2a8cc7168fe15d20_35.exe Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\qommkig.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\winmdw32.dll.tcf Adware:Adware/PurityScan Not disinfected C:\WINNT\system32\W?nSxS\wuaclt.exe

MatadorM83 View Member Profile	Jun 27 2006, 12:14 PM Post #9
Member Group: Members Posts: 22 Joined: 26-June 06 Member No.: 73,637	And Last but not least.... Logfile of HijackThis v1.99.1 Scan saved at 1:11:03 PM, on 6/27/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\ibmpmsvc.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\S24EvMon.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvsservice.exe C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvslock.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Program Files\NavNT\rtvscan.exe C:\WINNT\system32\RegSrvc.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\System32\TPHDEXLG.EXE C:\WINNT\system32\TpKmpSVC.exe C:\WINNT\system32\UAService7.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\1XConfig.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\SCardSvr.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINNT\system32\TpShocks.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\WINNT\tppaldr.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINNT\system32\RunDll32.exe C:\WINNT\AGRSMMSG.exe C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\WINNT\system32\PRPCUI.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINNT\system32\TpScrLk.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\Program Files\TrojanHunter 4.5\THGuard.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Trillian\trillian.exe C:\TP\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = MOMAISA:8080 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe" O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe" O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe" O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TPKBDLED] C:\WINNT\system32\TpScrLk.exe O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe" O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136163434280 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://websidestory.webex.com/client/v_myw...bex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MUSEUM.MOMA.ORG O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MUSEUM.MOMA.ORG O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = MUSEUM.MOMA.ORG O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvslock.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe (file missing) O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.EXE O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe Hey! I think we GOT IT! The Pop-Ups are gone and I have control of my browser again!!!! I think we got it! I have browser control again!!!

miekiemoes View Member Profile	Jun 27 2006, 12:18 PM Post #10
Malware Killer Dog Group: HJT Team Posts: 18,700 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hello, QUOTE Hey! I think we GOT IT! The Pop-Ups are gone and I have control of my browser again!!!! I think we got it! I have browser control again!!! No, there's still something hiding there. delete next files and folder: C:\Documents and Settings\jgentile\Local Settings\Temp\ctxad.exe C:\WINNT\system32\winmdw32.dll.tcf C:\WINNT\system32\W?nSxS <== this folder. Be carefull here!! Don't try to delete the WinSxS folder present in your WINNT-folder. The one you have to delete is present in the system32 folder and contains ONLY the file wuaclt.exe. Also, be carefull, don't delete wuaclt.exe present in your System32-folder, because that one is legit!!! When in doubt, leave it but tell me afterwards. Go to start > run and type: regsvr32 /u occache.dll (or copy and paste this in the field in start > run ) Click Ok Now search and delete: C:\WINNT\Downloaded Program Files\popcaploader.dll C:\WINNT\Downloaded Program Files\5220062c5d06c1af2a8cc7168fe15d20_35.exe Go to start > run and type regsvr32 occache.dll Click OK Perform next.. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window. Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window. In the Window: copy and paste next in the first field: C:\WINNT\system32\qommkig.dll Copy and paste next in the second field: C:\WINNT\system32\gikmmoq.* Click the “Add Files” button. Click the "Close Window" button. Click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Rename Hijackthis.exe to Analyse.exe (Important step!) Please post the contents of C:\vundofix.txt and a new HiJackThis log (created with analyse.exe) This post has been edited by miekiemoes: Jun 27 2006, 12:19 PM -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

MatadorM83 View Member Profile	Jun 27 2006, 12:41 PM Post #11
Member Group: Members Posts: 22 Joined: 26-June 06 Member No.: 73,637	Logfile of HijackThis v1.99.1 Scan saved at 1:40:09 PM, on 6/27/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\ibmpmsvc.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\S24EvMon.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvsservice.exe C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvslock.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Program Files\NavNT\rtvscan.exe C:\WINNT\system32\RegSrvc.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\System32\TPHDEXLG.EXE C:\WINNT\system32\TpKmpSVC.exe C:\WINNT\system32\UAService7.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\1XConfig.exe C:\WINNT\System32\SCardSvr.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINNT\system32\TpShocks.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\WINNT\tppaldr.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINNT\system32\RunDll32.exe C:\WINNT\AGRSMMSG.exe C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\WINNT\system32\PRPCUI.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINNT\system32\TpScrLk.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\Program Files\TrojanHunter 4.5\THGuard.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Internet Explorer\iexplore.exe C:\TP\Analyse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = MOMAISA:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {21EEAE1A-A76A-4FE4-8159-92A906833CA2} - C:\WINNT\system32\yayyv.dll (file missing) O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe" O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe" O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe" O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\tppaldr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TPKBDLED] C:\WINNT\system32\TpScrLk.exe O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe" O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136163434280 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://websidestory.webex.com/client/v_myw...bex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MUSEUM.MOMA.ORG O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MUSEUM.MOMA.ORG O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = MUSEUM.MOMA.ORG O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O20 - Winlogon Notify: tpfnf2 - C:\WINNT\SYSTEM32\notifyf2.dll O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll O20 - Winlogon Notify: winmdw32 - winmdw32.dll (file missing) O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvsservice.exe O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\GNU\WinCvs 1.3\CVSNT\cvslock.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe (file missing) O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.EXE O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe VundoFix V4.2.84 Checking Java version... Sun Java not detected Scan started at 1:33:41 PM 6/27/2006 Listing files found while scanning.... C:\WINNT\system32\vyyay.bak1 C:\WINNT\system32\vyyay.ini C:\WINNT\system32\yayyv.dll Attempting to delete C:\WINNT\system32\vyyay.bak1 C:\WINNT\system32\vyyay.bak1 Has been deleted! Attempting to delete C:\WINNT\system32\vyyay.ini C:\WINNT\system32\vyyay.ini Has been deleted! Attempting to delete C:\WINNT\system32\yayyv.dll C:\WINNT\system32\yayyv.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V4.2.84 Checking Java version... Sun Java not detected Scan started at 1:33:41 PM 6/27/2006 Listing files found while scanning.... C:\WINNT\system32\vyyay.bak1 C:\WINNT\system32\vyyay.ini C:\WINNT\system32\yayyv.dll Attempting to delete C:\WINNT\system32\vyyay.bak1 C:\WINNT\system32\vyyay.bak1 Has been deleted! Attempting to delete C:\WINNT\system32\vyyay.ini C:\WINNT\system32\vyyay.ini Has been deleted! Attempting to delete C:\WINNT\system32\yayyv.dll C:\WINNT\system32\yayyv.dll Has been deleted! Performing Repairs to the registry. Done!

miekiemoes View Member Profile	Jun 27 2006, 12:48 PM Post #12
Malware Killer Dog Group: HJT Team Posts: 18,700 Joined: 18-February 05 From: Belgium Member No.: 12,408	Now the other popups should be gone after performing above steps. Just some leftovers to fix in hijackthis, so check and fix next entries: O2 - BHO: (no name) - {21EEAE1A-A76A-4FE4-8159-92A906833CA2} - C:\WINNT\system32\yayyv.dll (file missing) O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O20 - Winlogon Notify: winmdw32 - winmdw32.dll (file missing) Delete next file if still present: C:\WINNT\system32\qommkig.dll Let me know in your next reply how things are running now. This post has been edited by miekiemoes: Jun 27 2006, 12:49 PM -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

MatadorM83 View Member Profile	Jun 27 2006, 02:09 PM Post #13
Member Group: Members Posts: 22 Joined: 26-June 06 Member No.: 73,637	Things are running smooth as silk! THANK YOU SO MUCH! This site is fantasitic, unlike some of the "pretenders" out there COUGHgeekstogo.comCOUGH

miekiemoes View Member Profile	Jun 27 2006, 02:28 PM Post #14
Malware Killer Dog Group: HJT Team Posts: 18,700 Joined: 18-February 05 From: Belgium Member No.: 12,408	Glad I could help. To keep this clean in the future, I would suggest the following things: Install Spywareblaster SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage. * Avoid illegal sites, because that's where most malware is present. * Don't click on links inside popups. * Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware. * Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware. Let your antispywarescanner(s) scan frequently and don't forget to update before. And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can. Also make sure that your virusscanner, the one that is installed on your system is always up to date! Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/ Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family. More info on how to prevent malware you can also find here (By Tony Klein) and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection If you want to fight back the Malware Writers that have made your life a misery, please take a look here. Happy surfing again! -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

MatadorM83 View Member Profile	Jun 27 2006, 04:42 PM Post #15
Member Group: Members Posts: 22 Joined: 26-June 06 Member No.: 73,637	And make a donation to this great site too!!!!

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides