Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/virtumonde Infection (and Possibly Others)


  • This topic is locked This topic is locked
13 replies to this topic

#1 torpe1

torpe1

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 10 April 2008 - 03:07 AM

Hi

I am a new member with limited technical knowledge. My teenage son's laptop has become infected with malware which I have failed to eradicate. He has an IBM R51e Thinkpad with a Celeron 1.5 GHz processor and 704 MB RAM. Running XP Pro SP2. AVG anti virus/ZoneAlarm firewall/Spybot S&D/Windows Defender installed and updated and used.

History so far

1 AVG showed Virus Lop and Trojan Ircbot.DQC in vault. Spybot scan showed Virtumonde.dll trojan

2 I deleted the files in the AVG vault

3 I installed and ran CCleaner, fixing Registry issues and deleting all Temp file issues

4 I installed and ran Vundofix

5 I scanned with Microsoft onecare.live and found Vundo still present

6 I installed Vundobegone and ran in safe mode

7 I scanned again with AVG and onecare.live. AVG showed Trojan BHO.DMH in the vault, and onecare.live showed I still had Vundo infection.

8 I installed HijackThis, and the copy log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:42:11, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Martin Pender\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {00FDD2CD-1F6D-427C-B183-7606B3C85A23} - (no file)
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3E2FF924-561F-4D8E-BB42-20A58F0A5211} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CC09C7BA-CCD7-4829-BF84-7AEF36CC34E8} - C:\WINDOWS\system32\opnmMcab.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: (no name) - {F8943363-B2F4-42BA-8442-4BD17788742D} - (no file)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162998965078
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37710.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - https://horizon.fwcommercial.com/forms90/ji...iator/jinit.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10244 bytes

The Virtumondebegone log from yesterday is also attached:


[04/09/2008, 18:10:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Martin Pender\Desktop\VirtumundoBeGone.exe" )
[04/09/2008, 18:10:14] - Detected System Information:
[04/09/2008, 18:10:14] - Windows Version: 5.1.2600, Service Pack 2
[04/09/2008, 18:10:14] - Current Username: Martin Pender (Admin)
[04/09/2008, 18:10:14] - Windows is in SAFE mode.
[04/09/2008, 18:10:14] - Searching for Browser Helper Objects:
[04/09/2008, 18:10:14] - BHO 1: {00FDD2CD-1F6D-427C-B183-7606B3C85A23} ()
[04/09/2008, 18:10:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:14] - No filename found. Continuing.
[04/09/2008, 18:10:14] - BHO 2: {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} ()
[04/09/2008, 18:10:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:14] - Checking for HKLM\...\Winlogon\Notify\pmnlkkJa
[04/09/2008, 18:10:14] - Found: HKLM\...\Winlogon\Notify\pmnlkkJa - This is probably Virtumundo.
[04/09/2008, 18:10:14] - Assigning {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} MSEvents Object
[04/09/2008, 18:10:14] - BHO list has been changed! Starting over...
[04/09/2008, 18:10:14] - BHO 1: {00FDD2CD-1F6D-427C-B183-7606B3C85A23} ()
[04/09/2008, 18:10:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:14] - No filename found. Continuing.
[04/09/2008, 18:10:14] - BHO 2: {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} (MSEvents Object)
[04/09/2008, 18:10:14] - ALERT: Found MSEvents Object!
[04/09/2008, 18:10:14] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2008, 18:10:14] - BHO 4: {3E2FF924-561F-4D8E-BB42-20A58F0A5211} ()
[04/09/2008, 18:10:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:14] - No filename found. Continuing.
[04/09/2008, 18:10:14] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/09/2008, 18:10:14] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/09/2008, 18:10:14] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/09/2008, 18:10:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:14] - No filename found. Continuing.
[04/09/2008, 18:10:14] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[04/09/2008, 18:10:14] - BHO 9: {CC09C7BA-CCD7-4829-BF84-7AEF36CC34E8} ()
[04/09/2008, 18:10:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:14] - Checking for HKLM\...\Winlogon\Notify\opnmMcab
[04/09/2008, 18:10:14] - Key not found: HKLM\...\Winlogon\Notify\opnmMcab, continuing.
[04/09/2008, 18:10:14] - BHO 10: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (Ask Toolbar BHO)
[04/09/2008, 18:10:14] - BHO 11: {F8943363-B2F4-42BA-8442-4BD17788742D} ()
[04/09/2008, 18:10:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:14] - No filename found. Continuing.
[04/09/2008, 18:10:14] - Finished Searching Browser Helper Objects
[04/09/2008, 18:10:14] - *** Detected MSEvents Object
[04/09/2008, 18:10:14] - Trying to remove MSEvents Object...
[04/09/2008, 18:10:15] - Terminating Process: IEXPLORE.EXE
[04/09/2008, 18:10:15] - Terminating Process: RUNDLL32.EXE
[04/09/2008, 18:10:15] - Disabling Automatic Shell Restart
[04/09/2008, 18:10:15] - Terminating Process: EXPLORER.EXE
[04/09/2008, 18:10:16] - Suspending the NT Session Manager System Service
[04/09/2008, 18:10:16] - Terminating Windows NT Logon/Logoff Manager
[04/09/2008, 18:10:16] - Re-enabling Automatic Shell Restart
[04/09/2008, 18:10:16] - File to disable: C:\WINDOWS\system32\pmnlkkJa.dll
[04/09/2008, 18:10:16] - Removing HKLM\...\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}
[04/09/2008, 18:10:16] - Removing HKCR\CLSID\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}
[04/09/2008, 18:10:16] - Adding Kill Bit for ActiveX for GUID: {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}
[04/09/2008, 18:10:16] - Deleting ATLEvents/MSEvents Registry entries
[04/09/2008, 18:10:16] - Removing HKLM\...\Winlogon\Notify\pmnlkkJa
[04/09/2008, 18:10:16] - Searching for Browser Helper Objects:
[04/09/2008, 18:10:16] - BHO 1: {00FDD2CD-1F6D-427C-B183-7606B3C85A23} ()
[04/09/2008, 18:10:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:16] - No filename found. Continuing.
[04/09/2008, 18:10:16] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/09/2008, 18:10:16] - BHO 3: {3E2FF924-561F-4D8E-BB42-20A58F0A5211} ()
[04/09/2008, 18:10:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:16] - No filename found. Continuing.
[04/09/2008, 18:10:16] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/09/2008, 18:10:16] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/09/2008, 18:10:16] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/09/2008, 18:10:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:16] - No filename found. Continuing.
[04/09/2008, 18:10:16] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[04/09/2008, 18:10:16] - BHO 8: {CC09C7BA-CCD7-4829-BF84-7AEF36CC34E8} ()
[04/09/2008, 18:10:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:16] - Checking for HKLM\...\Winlogon\Notify\opnmMcab
[04/09/2008, 18:10:16] - Key not found: HKLM\...\Winlogon\Notify\opnmMcab, continuing.
[04/09/2008, 18:10:16] - BHO 9: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (Ask Toolbar BHO)
[04/09/2008, 18:10:16] - BHO 10: {F8943363-B2F4-42BA-8442-4BD17788742D} ()
[04/09/2008, 18:10:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/09/2008, 18:10:16] - No filename found. Continuing.
[04/09/2008, 18:10:16] - Finished Searching Browser Helper Objects
[04/09/2008, 18:10:16] - Finishing up...
[04/09/2008, 18:10:16] - A restart is needed.
[04/09/2008, 18:10:24] - Attempting to Restart via STOP error (Blue Screen!)


Since running VBG, everything seems much faster, and almost normal, but I am concerned that onecare and AVG are still finding malware issues. Any help/advice would be hugely appreciated. END

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:14 AM

Posted 10 April 2008 - 05:03 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

At the moment there does not seem to be an active Vundo infection, which is of course a good sign.
We'll clean up the leftovers in your HJT log, then run a scan to pick up any other infected files.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {00FDD2CD-1F6D-427C-B183-7606B3C85A23} - (no file)
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - (no file)
O2 - BHO: (no name) - {3E2FF924-561F-4D8E-BB42-20A58F0A5211} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F8943363-B2F4-42BA-8442-4BD17788742D} - (no file)
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - https://horizon.fwcommercial.com/forms90/ji...iator/jinit.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the box --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Edited by D-Trojanator, 10 April 2008 - 05:04 AM.


#3 torpe1

torpe1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 10 April 2008 - 10:02 AM

Thanks, David. All done, and here is the Combofix log:

ComboFix 08-04-09.8 - Martin Pender 2008-04-10 15:41:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.346 [GMT 1:00]
Running from: C:\Documents and Settings\Martin Pender\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 11:03 . 2008-04-10 11:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-10 11:03 . 2008-04-10 11:03 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-10 11:03 . 2008-04-10 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-09 17:51 . 2008-04-09 17:51 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-08 21:27 . 2008-04-08 21:27 <DIR> d-------- C:\VundoFix Backups
2008-04-08 13:29 . 2008-04-08 13:29 <DIR> d-------- C:\Program Files\CCleaner
2008-04-08 13:25 . 2008-04-08 13:25 <DIR> d-------- C:\Documents and Settings\Martin Pender\Application Data\Talkback
2008-04-08 13:24 . 2008-04-08 13:24 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-07 11:46 . 2008-04-07 11:45 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-07 11:46 . 2008-04-07 11:46 2,558 --a------ C:\WINDOWS\unins000.dat
2008-03-27 00:02 . 2008-03-27 00:02 <DIR> d-------- C:\Documents and Settings\Martin Pender\Application Data\Sonic
2008-03-27 00:00 . 2008-03-27 00:00 <DIR> d-------- C:\Documents and Settings\Martin Pender\Application Data\Leadertech
2008-03-26 19:57 . 2006-11-29 14:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-03-26 19:55 . 2008-03-26 19:55 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-21 20:39 . 2008-03-21 20:39 268 --ah----- C:\sqmdata03.sqm
2008-03-21 20:39 . 2008-03-21 20:39 268 --ah----- C:\sqmdata02.sqm
2008-03-21 20:39 . 2008-03-21 20:39 244 --ah----- C:\sqmnoopt03.sqm
2008-03-21 20:39 . 2008-03-21 20:39 244 --ah----- C:\sqmnoopt02.sqm
2008-03-16 19:54 . 2008-03-16 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-03-16 03:09 . 2004-08-04 01:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-16 03:09 . 2004-08-03 23:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-16 03:09 . 2004-08-03 23:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-16 03:09 . 2001-08-17 23:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 14:44 11,616,288 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-10 09:13 127,292 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-10 07:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-09 18:59 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-09 03:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-09 00:29 --------- d-----w C:\Documents and Settings\Martin Pender\Application Data\Skype
2008-04-07 12:25 --------- d-----w C:\Documents and Settings\Martin Pender\Application Data\Uniblue
2008-04-07 10:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 10:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-01 02:04 --------- d-----w C:\Program Files\Windows Live
2008-03-31 13:17 2,214,912 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-03-31 13:17 1,477,632 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-03-27 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-26 19:01 --------- d-----w C:\Program Files\MSN Messenger
2008-03-26 18:50 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 22:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 22:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-10 14:38 --------- d-----w C:\Program Files\Google
2008-03-01 17:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 17:22 2,140,672 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-02-29 17:22 1,044,480 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-21 09:57 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-01 10:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-12-29 01:55 56,832 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-12-27 01:52 1,141,248 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-10-19 07:19 7,549,605 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-10-04 16:28 1,372,160 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2007-06-14 06:36 20,833,362 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_06_11_21_39_52_full.dmp.zip
2007-04-10 20:37 421,888 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-04-03 21:52 1,620,480 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2007-03-02 22:07 1,594,368 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-02-14 22:26 570,880 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2006-12-22 07:08 20,936,191 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_21_23_52_02_full.dmp.zip
2006-11-28 23:23 5,819,392 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-07-21 08:54 1,305,088 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2006-07-18 16:37 3,571,200 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2006-07-18 16:37 1,303,040 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2006-07-13 08:05 1,302,016 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2006-06-14 06:02 47,125 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_06_13_09_11_26_small.dmp.zip
2006-06-14 06:02 44,319 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_06_13_09_09_54_small.dmp.zip
2006-06-13 07:07 50,055 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_06_10_21_52_40_small.dmp.zip
2006-06-01 06:12 45,973 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_05_31_18_38_18_small.dmp.zip
2006-06-01 06:12 36,041 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_05_31_18_37_07_small.dmp.zip
2006-04-19 07:16 45,210 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_04_18_09_55_19_small.dmp.zip
2006-04-19 07:16 34,315 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_04_18_09_54_23_small.dmp.zip
.

((((((((((((((((((((((((((((( snapshot@2008-04-10_10.19.07.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-10 09:12:51 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
+ 2008-04-10 14:43:59 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC09C7BA-CCD7-4829-BF84-7AEF36CC34E8}]
C:\WINDOWS\system32\opnmMcab.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-10-23 23:12 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2007-10-23 23:12 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20 20058152]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [2005-07-13 12:55 94208 C:\WINDOWS\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [2005-08-02 10:09 40960 C:\WINDOWS\system32\TP4EX.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 18:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 21:41 860160]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-29 06:15 344064]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-19 14:33 127037]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 01:50 221184]
"ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 01:50 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 19:40 579072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 17:43 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 18:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-20 10:57:57 24576]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-05-09 10:31:38 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 2005-08-10 12:08 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 08:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-06-17 07:23 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amsg]
--------- 2005-08-02 06:36 475136 C:\Program Files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--------- 2005-08-10 10:10 208896 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauthe]
--------- 2005-08-03 03:52 1979952 C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2005-08-10 11:20 237568 C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
--------- 2005-08-10 10:00 98304 C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
-r------- 2005-07-08 00:22 49152 C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
--------- 2005-08-10 10:10 139264 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
--------- 2005-08-10 12:08 86016 C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
--------- 2005-08-02 02:32 40960 C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--------- 2005-08-29 23:15 94208 C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
--------- 2005-08-12 02:58 864256 C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-08-10 12:08]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-08-10 12:08]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-08-10 10:10]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 04:47]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2005-08-03 03:15]
R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 12:29]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 03:40]
R2 PrivateDisk;PrivateDisk;C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys [2005-06-28 17:26]
R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2005-08-03 02:47]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-26 00:26]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2005-05-18 12:52]
R3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-08-10 12:08]
R3 Tp4Track;PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2005-07-13 12:55]
S3 cxbu0wdm;CardMan 3x21;C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys [2005-03-31 13:46]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 12:33:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 09:17:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-24 10:41:02 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
"2008-04-07 10:57:29 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-20 13:38:12 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-10 14:32:10 C:\WINDOWS\Tasks\User_Feed_Synchronization-{64B4A2E5-093A-4576-A7CA-9821DA432ED5}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 15:44:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-04-10 15:45:28
ComboFix-quarantined-files.txt 2008-04-10 14:45:18
ComboFix2.txt 2008-04-10 09:19:57
Pre-Run: 9,458,683,904 bytes free
Post-Run: 9,436,778,496 bytes free
.
2008-04-09 17:06:24 --- E O F ---


and the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:53:06, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Martin Pender\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CC09C7BA-CCD7-4829-BF84-7AEF36CC34E8} - C:\WINDOWS\system32\opnmMcab.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162998965078
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37710.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9907 bytes

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:14 AM

Posted 10 April 2008 - 11:34 AM

Ok, good work, looks like we've managed to kill the Vundo infection! :thumbsup:
First things first, we've got a leftover entry to fix.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Open Hijackthis and fix this entry:
O2 - BHO: (no name) - {CC09C7BA-CCD7-4829-BF84-7AEF36CC34E8} - C:\WINDOWS\system32\opnmMcab.dll (file missing)

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#5 torpe1

torpe1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 10 April 2008 - 01:57 PM

I'm probably being thick, but having disabled Teatimer, I have come to a grinding halt, as I cannot seem to be able to download 'ResetTeaTimer.bat'

When I click the link, or find other paths via net search, all I get is a load of script, which I have copied and attach:

@echo off
:: Edited 9:48 AM 9/21/2007
:: s!ri thanks for sharing your script
:: Please do not mirror this batch
if [%OS%]==[Windows_NT] set path=%windir%;%SystemRoot%\system32

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last

:NT
Echo.
Echo SpyBot and Tea Timer must be closed!! & pause
Echo.
CScript /?>nul 2>&1 && echo/Check OK>log1.txt || echo/Windows Script Host access is disabled on this machine. >log2.txt
if exist log1.txt goto continue

echo Post this in the forum please.>>log2.txt & start notepad log2.txt & exit

:continue
if exist log1.txt del log1.txt

echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath ^& "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" ^& TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath ^& "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" ^& TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat


(@echo off
del /q %CommonAppData%\spybot~1\Snapshots\*.*
del /q %CommonAppData%\spybot~1\Snapshots2\*.*
del /q %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe
del /q %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe
del /q %CommonAppData%\spybot~1\excludes\ProcWhite.sbe
del /q %CommonAppData%\spybot~1\excludes\ProcBlack.sbe
del /q %CommonAppData%\spybot~1\excludes\UpdateDL.sbe
del /q %CommonAppData%\spybot~1\logs\resident.log
)>NUL 2>&1
Echo.
Echo Finished & pause & exit

:win
Echo.
Echo SpyBot and Tea Timer must be closed!!
pause
echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat




deltree /y %AppData%\spybot~1\snapshots\*.*
deltree /y %AppData%\spybot~1\Snapshots2\*.*
del %AppData%\spybot~1\logs\resident.log
del %AppData%\spybot~1\excludes\ProcBlack.sbe
del %AppData%\spybot~1\excludes\ProcWhite.sbe
del %AppData%\spybot~1\excludes\RegKeyWhite.sbe
del %AppData%\spybot~1\excludes\RegKeyBlack.sbe
del %AppData%\spybot~1\excludes\UpdateDL.sbe
cls
Echo.
Echo Finished
exit



:winme
Echo.
Echo SpyBot and Tea Timer must be closed!!
pause
echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat


del /y %CommonAppData%\spybot~1\snapshots\*.*
del /y %CommonAppData%\spybot~1\snapshots2\*.*
del %CommonAppData%\spybot~1\excludes\UpdateDL.sbe
del %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe
del %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe
del %CommonAppData%\spybot~1\excludes\ProcWhite.sbe
del %CommonAppData%\spybot~1\excludes\ProcBlack.sbe
del %CommonAppData%\spybot~1\logs\resident.log
cls
Echo.
Echo Finished
exit

:last
echo Press any key to exit,..
pause
exit

Can you explain/provide another link to download the BAT file?

Thanks.

#6 torpe1

torpe1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 10 April 2008 - 02:06 PM

Please ignore last post - definitely thick - was running Firefox, so tried your link in Explorer, and have now downloaded and run 'ResetTeaTimer.bat'.

Will post the HJT and Kaspersky files when done.

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:14 AM

Posted 10 April 2008 - 02:56 PM

Ok, no problem! :thumbsup:

#8 torpe1

torpe1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 10 April 2008 - 05:02 PM

OK, have now completed the Kaspersky scan - 1 virus found - win32.monder.gen.

Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 10, 2008 10:44:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/04/2008
Kaspersky Anti-Virus database records: 696121
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 66967
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:25:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12112006-101742.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\AlbumArtSmall.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\AlbumArt_{08115859-E625-4BCD-83A8-57E01873B42F}_Large.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\AlbumArt_{08115859-E625-4BCD-83A8-57E01873B42F}_Small.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Large.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\AlbumArt_{EFFDEB51-C913-4EE1-8B2A-C80112057955}_Small.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Folder.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Thumbs.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Favorites -- 4 and 5 star rated.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Favorites -- Have not heard recently.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Favorites -- Listen to late at night.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Favorites -- Listen to on Weekdays.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Favorites -- Listen to on Weekends.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Favorites -- One Audio CD worth.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Favorites -- One Data CD-R worth.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Fresh tracks -- yet to be played.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Fresh tracks -- yet to be rated.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Fresh tracks.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\High bitrate media in my library.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Low bitrate media in my library.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Music tracks I dislike.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Music tracks I have not rated.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000923D8\Music tracks with content protection.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\01_Music_auto_rated_at_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\02_Music_added_in_the_last_month.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\03_Music_rated_at_4_or_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\04_Music_played_in_the_last_month.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\05_Pictures_taken_in_the_last_month.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\06_Pictures_rated_4_or_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\07_TV_recorded_in_the_last_week.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\08_Video_rated_at_4_or_5_stars.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\09_Music_played_the_most.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\10_All_Music.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\11_All_Pictures.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0005861F\12_All_Video.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\portraits_01_14_05.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\space.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\Thumbs.db Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\call256.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\chat512.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\index2.dat Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\profile256.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\user1024.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\user16384.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Application Data\Skype\pip.pender\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Martin Pender\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Martin Pender\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Martin Pender\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Martin Pender\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Martin Pender\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Martin Pender\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Martin Pender\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP652\A0108064.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP652\A0108065.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP655\A0108552.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP656\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\LENOVO-55123ECE.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4C244CCF-ECC6-48E1-A9D3-0566CB755AB3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT03b11.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT03b17.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

and the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:47:20, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Martin Pender\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162998965078
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37710.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9192 bytes


Over to you..........

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:14 AM

Posted 11 April 2008 - 11:21 AM

Just one more thing to do.. :thumbsup:

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Please reboot a final time and let me know how the PC is running.
I see a clean Hijackthis log now!

#10 torpe1

torpe1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 11 April 2008 - 01:46 PM

Hi David - I have reset the restore point as instructed and re-booted. Everything seems to be working fine, so fingers crossed. Will this have dealt with the win32.monder.gen issue as well?

I will run another Kaspersky scan now and let you know.

Thanks so much for all your patient help this far.

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:14 AM

Posted 11 April 2008 - 02:02 PM

Having flushed the system restore points, the win32.monder.gen issue should be gone.
Let me know what the results of the Kaspersky online scan are.. :thumbsup:

#12 torpe1

torpe1
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 11 April 2008 - 03:32 PM

David - a million thanks - it is all clear now according to the Kaspersky scan.

Huge thanks from my son, too, who is now free to surf away and catch all sorts of new malware, so perhaps it might not be too long before I am back here again.

All the best, and we will certainly make a donation.

Martin

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:14 AM

Posted 12 April 2008 - 06:24 AM

You're most welcome Martin! If you have any future problems, don't hesitate to contact me. :thumbsup:

He probably knows already, but you might want to tell your son about where this kind of malware comes from.

These type of infections normally come bundled with applications that you might install without checking them out first, for example audio/movie codecs that you are prompted to install from dodgy websites. Another big source of infection is P2P file sharing, where a large number of files that are available to download are simply trojan downloaders and installers etc. Finally, crack sites providing serials and keygens to "crack" open applications you need to pay for, are the worst for this. Nearly every crack site has malicious code waiting to be injected into your system.

Good luck, and happy surfing!
David

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:14 AM

Posted 19 April 2008 - 06:09 AM

As this problem was thankfully resolved, this topics will now be closed. :thumbsup:
Martin - If you've got any additional questions, drop me a PM and I will reopen it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users