Spycrush 3.2!

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Spycrush 3.2!, Ran the tool for previous version, taskbar popup icon still there

Options

paN!cker View Member Profile	Jun 10 2007, 08:55 AM Post #1
New Member Group: Members Posts: 12 Joined: 10-June 07 From: Singapore / Australia Member No.: 135,721	Hi Guys! Love forums like these. I just can't stand these spywares that pretend to be free pc scanners and whatnot. Basically it's exactly the same problem as Cameo (Infected With Spycrush 3.2, Don't know how to remove it) who also posted today. I've run the previous SmitfraudFix.exe but this is a new version of the spyware and the irritating popup icon with the "you are infected seek help now with us" or something nonsense keeps coming up. I followed the instructions given to him. Here's my log. Running in SAFE mode does NOT stop this icon from popping up! Everything else doesn't load, but THIS icon keeps coming up. I don't know what else to do. Tried running through my registry hunting for it but to no avail. apparently yesgnhr.dll may be the key to the problem. Thanks for any help guys. SmitFraudFix v2.195 Scan done at 23:40:48.93, 10/06/2007 Run from C:\Documents and Settings\Leslie Yong\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\system32\IPSSVC.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe c:\program files\lenovo\system update\suservice.exe C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINDOWS\system32\tp4serv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Lenovo\AwayTask\AwaySch.EXE C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Backup4all\B4AOTB.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\yesgnhr.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Leslie Yong »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Leslie Yong\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LESLIE~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{6f396a67-f473-48c9-9950-636ce17e584e}"="hellenophile" [HKEY_CLASSES_ROOT\CLSID\{6f396a67-f473-48c9-9950-636ce17e584e}\InProcServer32] @="C:\WINDOWS\system32\yesgnhr.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6f396a67-f473-48c9-9950-636ce17e584e}\InProcServer32] @="C:\WINDOWS\system32\yesgnhr.dll" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport DNS Server Search Order: 130.102.2.15 DNS Server Search Order: 130.102.128.43 HKLM\SYSTEM\CCS\Services\Tcpip\..\{257550C4-96B6-43F8-80CB-4162727B934F}: DhcpNameServer=130.102.2.15 130.102.128.43 HKLM\SYSTEM\CS1\Services\Tcpip\..\{257550C4-96B6-43F8-80CB-4162727B934F}: DhcpNameServer=130.102.2.15 130.102.128.43 HKLM\SYSTEM\CS3\Services\Tcpip\..\{257550C4-96B6-43F8-80CB-4162727B934F}: DhcpNameServer=130.102.2.15 130.102.128.43 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=130.102.2.15 130.102.128.43 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=130.102.2.15 130.102.128.43 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=130.102.2.15 130.102.128.43 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

didom View Member Profile	Jun 10 2007, 02:35 PM Post #2
Forum Addict Group: HJT Team Posts: 1,389 Joined: 6-February 05 From: The Netherlands Member No.: 11,439	Please redownload Smitfraudfix as it is updated! * Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Don't use it yet. * Reboot into Safe Mode`: ( without networking support !) °To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key. * Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. (Warning : running option #2 on a non infected computer will remove your Desktop background and set it blank again. But you can reapply your desktop background again afterwards You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process. Post the log from smitfraudfix in your next reply together with a new hijackthislog. The report can also be found at the root of the system drive, usually at C:\rapport.txt -------------------- Dick (Personal Page) How did I get infected in the first place? My help is always free, but if you want to donate to help me continue my fight against malware -- click here!

paN!cker View Member Profile	Jun 11 2007, 05:26 AM Post #3
New Member Group: Members Posts: 12 Joined: 10-June 07 From: Singapore / Australia Member No.: 135,721	SmitFraudFix v2.195 Scan done at 20:05:25.50, 11/06/2007 Run from C:\Documents and Settings\Leslie Yong\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{6f396a67-f473-48c9-9950-636ce17e584e}"="hellenophile" [HKEY_CLASSES_ROOT\CLSID\{6f396a67-f473-48c9-9950-636ce17e584e}\InProcServer32] @="C:\WINDOWS\system32\yesgnhr.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6f396a67-f473-48c9-9950-636ce17e584e}\InProcServer32] @="C:\WINDOWS\system32\yesgnhr.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\yesgnhr.dll -> Hoax.Win32.Renos.gen.o C:\WINDOWS\system32\yesgnhr.dll -> Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CS3\Services\Tcpip\..\{257550C4-96B6-43F8-80CB-4162727B934F}: DhcpNameServer=10.0.0.138 HKLM\SYSTEM\CS3\Services\Tcpip\..\{B81762A5-08D8-45C2-8ADE-D5415832F1C1}: DhcpNameServer=10.0.0.138 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End --------------------------------------------------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 20:21:02, on 11/06/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\system32\IPSSVC.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe c:\program files\lenovo\system update\suservice.exe C:\WINDOWS\system32\CNAB3RPK.EXE C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\tp4serv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Lenovo\AwayTask\AwaySch.EXE C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam10\QuickCam10.exe C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Backup4all\Backup4all.exe C:\Program Files\Backup4all\B4AOTB.exe C:\Program Files\Backup4all\Backup4all.exe C:\Program Files\iPod\bin\iPodService.exe C:\Utopia\Angel\Angel.exe C:\Program Files\Logitech\QuickCam10\COCIManager.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Backup4all] C:\Program Files\Backup4all\Backup4all.exe /s O4 - HKCU\..\Run: [Backup4all OTB Agent] C:\Program Files\Backup4all\B4AOTB.exe O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe" O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O11 - Options group: [JAVA_IBM] Java (IBM) O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/ O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe woohooo, it appears my popup is now gone. is there anything else that's not going down well with me laptop? btw thanks -tonnes- for the help. i see the amount of requests, and i really appreciate the work you guys are doing! =)

didom View Member Profile	Jun 11 2007, 09:33 AM Post #4
Forum Addict Group: HJT Team Posts: 1,389 Joined: 6-February 05 From: The Netherlands Member No.: 11,439	You can fix these items: O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k Your HijackThis log is clean. Tell me how your system is running now! -------------------- Dick (Personal Page) How did I get infected in the first place? My help is always free, but if you want to donate to help me continue my fight against malware -- click here!

paN!cker View Member Profile	Jun 12 2007, 12:18 PM Post #5
New Member Group: Members Posts: 12 Joined: 10-June 07 From: Singapore / Australia Member No.: 135,721	Hey, it's running just fine! Nothing out of the ordinary, least not to me. I fixed both items you recommended! =) p.s I just remembered. On my computer back home, my "Safely Remove Hardware" icon disappeared sometime ago from my taskbar and now I can't stop hardware before removing it. How do I get the icon back on my taskbar? This post has been edited by paN!cker: Jun 12 2007, 09:45 PM

didom View Member Profile	Jun 16 2007, 05:18 AM Post #6
Forum Addict Group: HJT Team Posts: 1,389 Joined: 6-February 05 From: The Netherlands Member No.: 11,439	1. Right click Taskbar and select Properties (The default location for the taskbar is at the bottom of the screen, and from left to right it contains by default the Start menu, Quick Launch bar, Taskbar buttons and Notification area) 2. Click on the "Customize" button. Check if it is blurred out. If not, you need to uncheck "Hide inactive icons". 3. You'll see a Customize Notification options. At the Current Items, select "Always Show" for the "Safely Remove Hardware" icon. See if that works. -------------------- Dick (Personal Page) How did I get infected in the first place? My help is always free, but if you want to donate to help me continue my fight against malware -- click here!

paN!cker View Member Profile	Jun 17 2007, 09:22 AM Post #7
New Member Group: Members Posts: 12 Joined: 10-June 07 From: Singapore / Australia Member No.: 135,721	Hmmm I vaguely remember trying that last time and it didn't show in my taskbar still. I'll try that again in a week. I'm in australia now and am returning home for the hols in a week Thanks! If there are any other more "persuasive" methods just post em up I'll try em out, cos I remember trying those options and them not working. Cheers Christopher This post has been edited by paN!cker: Jun 17 2007, 09:28 AM

didom View Member Profile	Jun 17 2007, 09:32 AM Post #8
Forum Addict Group: HJT Team Posts: 1,389 Joined: 6-February 05 From: The Netherlands Member No.: 11,439	There are a couple of things I can recommend in this case. [1] Unhide the icon: If you have your notifications area set to hide icons, you will need to click the double left pointing arrow to show the hidden icons. If you would like to permanently unhide these icons, here's how: 1. Right click your notification area (next to the clock) 2. Select Properties 3. Uncheck the entry titled: Hide inactive icons 4. Click OK [2] Invoke the Safely Remove Hardware window: If you would like to invoke the Safely Remove Hardware window, here's how: 1. Go to Start>> Run. Type in: RUNDLL32 SHELL32.DLL,Control_RunDLL hotplug.dll (you may want to copy and paste the above command in to the run text box for accuracy sake) 2. Press Enter. 3. Double click the Entry in the body of the windows to view all installed USB devices. 4. Select the one that you would like to Stop. 5. Unplug the stopped device. [3] Reboot to restore Safely Remove Hardware icon: It has been reported that a simple reboot will restore the subject icon to the notification area. [4] Make sure Safely Remove Hardware is set to "always show": 1. Go to Start>> Control Panel 2. Select Taskbar and Start Menu 3. Select the Customize button 4. Scroll the list to find the "Safely Remove Hardware" entry 5. Be sure that it is set to "Always show" or "Always hide" is OK. If it is set to "Always hide", click the "Always hide" entry and select one of the other two listed options. 6. Click OK and exit all open windows -------------------- Dick (Personal Page) How did I get infected in the first place? My help is always free, but if you want to donate to help me continue my fight against malware -- click here!

paN!cker View Member Profile	Jun 26 2007, 12:49 AM Post #9
New Member Group: Members Posts: 12 Joined: 10-June 07 From: Singapore / Australia Member No.: 135,721	Hi didom, I did what you said and when i stopped my usb device from working, the icon appeared in my taskbar. However, when I rebooted, the icon did not load up. And clicking the always show option doesn't make it show. my weirddd computer

didom View Member Profile	Jun 26 2007, 08:03 AM Post #10
Forum Addict Group: HJT Team Posts: 1,389 Joined: 6-February 05 From: The Netherlands Member No.: 11,439	Well, i can't see any malware anymore. So I have to redirect you to this forum: http://www.bleepingcomputer.com/forums/forum56.html Because I have no idea what to try more! Thanks! ------------------------------ This log looks clean! Don't forget to re-hide all files and folders. To re-hide all files and folders: Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading deselect "Show hidden files and folders". Check the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check "Turn off System Restore". Click Apply, and then click OK. Reboot your computer. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check "Turn off System Restore". Click Apply, and then click OK. This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them.... Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox. Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer. This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!! Please post back if you are still having any problems.... -------------------- Dick (Personal Page) How did I get infected in the first place? My help is always free, but if you want to donate to help me continue my fight against malware -- click here!

paN!cker View Member Profile	Jul 9 2007, 11:26 PM Post #11
New Member Group: Members Posts: 12 Joined: 10-June 07 From: Singapore / Australia Member No.: 135,721	thank you. you've been a mighty great help!

didom View Member Profile	Jul 10 2007, 06:27 AM Post #12
Forum Addict Group: HJT Team Posts: 1,389 Joined: 6-February 05 From: The Netherlands Member No.: 11,439	You're welcome -------------------- Dick (Personal Page) How did I get infected in the first place? My help is always free, but if you want to donate to help me continue my fight against malware -- click here!

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive