Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware on my system?


  • This topic is locked This topic is locked
18 replies to this topic

#1 mcman

mcman

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 23 March 2009 - 08:04 PM

Dear community,

My system may have been compromised three days ago. My ZoneAlarm firewall told me that a VPN connection was being established, even though I don't use VPN. Over at the ZA forum, they suggested I post a HJT log here in case there is malware involved. Could you help me take a look?

Thank you very much,
mcman


DDS (Ver_09-03-16.01) - NTFSx86
Run by Robert at 20:36:18.59 on 2009-03-23
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1526.326 [GMT -4:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\gemeinsame dateien\logishrd\lvmvfm\LVPrcSrv.exe
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\ThinkPad\Utilities\TpKmapMn.exe
C:\Programme\ThinkPad\Utilities\TpKmapMn.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programme\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programme\Logitech\QuickCam\Quickcam.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ThinkPad\Utilities\TpKmapMn.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\IBM\Messages By IBM\ibmmessages.exe
C:\Programme\sipgate X-Lite\sipgateXLite.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Programme\Skype\Phone\Skype.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\Outlook Express\msimn.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Programme\Napster\napster.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ZoneLabs\UpdClient.exe
C:\Programme\Opera\profile\cache4\temporary_download\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [TPKMAPMN] c:\programme\thinkpad\utilities\TpKmapMn.exe
uRun: [MsnMsgr] "c:\programme\msn messenger\MsnMsgr.Exe" /background
uRun: [ibmmessages] c:\programme\ibm\messages by ibm\ibmmessages.exe
uRun: [XSC SIP Client] "c:\programme\sipgate x-lite\sipgateXLite.exe"
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SynTPLpr] c:\programme\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TPKMAPHELPER] c:\programme\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [<NO NAME>]
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [TkBellExe] "c:\programme\gemeinsame dateien\real\update_ob\realsched.exe" -osboot
mRun: [LogitechCommunicationsManager] "c:\programme\gemeinsame dateien\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\programme\logitech\quickcam\Quickcam.exe" /hide
mRun: [HP Software Update] c:\programme\hp\hp software update\HPWuSchd2.exe
mRun: [ACTray] c:\programme\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\programme\thinkpad\connectutilities\ACWLIcon.exe
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "c:\programme\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\acroba~1.lnk - c:\programme\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\cleana~1.lnk - c:\programme\cisco systems\clean access agent\CCAAgentLauncher.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hpdigi~1.lnk - c:\programme\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\sipgat~1.lnk - c:\programme\sipgate x-lite\sipgateXLite.exe
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxsrvc.dll
Notify: tphotkey - tphklock.dll
LSA: Notification Packages = scecli ACGina

============= SERVICES / DRIVERS ===============

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-8-8 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-8-8 4224]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-9 148496]

=============== Created Last 30 ================


==================== Find3M ====================

2009-03-23 20:37 175,288,096 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-23 02:03 2,126,336 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-09 22:20 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-08 21:43 393,488 a------- c:\windows\system32\perfh007.dat
2009-03-08 21:43 64,552 a------- c:\windows\system32\perfc007.dat
2009-02-16 00:10 72,584 a------- c:\windows\zllsputility.exe
2009-02-15 23:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 09:51 1,847,552 a------- c:\windows\system32\win32k.sys
2009-02-09 09:51 1,847,552 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:01 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-04-02 22:31 32 a------- c:\dokume~1\alluse~1\anwend~1\ezsid.dat
2009-03-23 20:38 175,306,016 a--sh--- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 20:39:25.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:50 AM

Posted 31 March 2009 - 10:28 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 mcman

mcman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 31 March 2009 - 10:46 PM

Hello Orange Blossom,

Here is a more detailed description of the problem:

When I was shutting down my computer a couple days ago and closing programs from the task bar, all of a sudden numerous windows popped up (at least 30 or so). Most of them seemed to be all kinds of instances of communication programs that I have in the task bar tray (although I did not click anything there), but some had unfamiliar names. My Zone Alarm firewall brought up one of those red alert messages stating that a VPN connection was now ready for use. The message apparently gave me two options to choose from and a button to press, but the message itself was blank, so I could not see what the options were and therefore didn't press anything. To my knowledge, I do not use VPN (this is my home computer). Also at the same time, my CPU was running at 100% and the process accounting for that CPU usage was "hpqtra08.exe", which should be just a process for my printer. My first instinct was to disconnect the router to kill my internet connection and having done that, I shut down all running processes by rebooting.

The next day I again had numerous windows pop up when I was just clicking something on the task bar (just a normal left click on a legitimate open program), but this time no mention of a VPN connection. After that, it hasn't happened again.

Now, I'm confused about whether somebody compromised my system and if so, whether he's still on there. At the Zone Alarm user forum, I was advised to post a HJT log at bleepingcomputer.com to determine whether malware is involved.

Thanks,
mcman

New DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Robert at 23:34:51.12 on 2009-03-31
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1526.359 [GMT -4:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\gemeinsame dateien\logishrd\lvmvfm\LVPrcSrv.exe
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\ThinkPad\Utilities\TpKmapMn.exe
C:\Programme\ThinkPad\Utilities\TpKmapMn.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\ThinkPad\UltraNav-Assistent\UNavTray.EXE
C:\Programme\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programme\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programme\Logitech\QuickCam\Quickcam.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ThinkPad\Utilities\TpKmapMn.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\IBM\Messages By IBM\ibmmessages.exe
C:\Programme\sipgate X-Lite\sipgateXLite.exe
C:\Programme\Skype\Phone\Skype.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Programme\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\MSN Messenger\usnsvc.exe
C:\Programme\Outlook Express\msimn.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Dokumente und Einstellungen\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [TPKMAPMN] c:\programme\thinkpad\utilities\TpKmapMn.exe
uRun: [MsnMsgr] "c:\programme\msn messenger\MsnMsgr.Exe" /background
uRun: [ibmmessages] c:\programme\ibm\messages by ibm\ibmmessages.exe
uRun: [XSC SIP Client] "c:\programme\sipgate x-lite\sipgateXLite.exe"
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SynTPLpr] c:\programme\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TPKMAPHELPER] c:\programme\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [<NO NAME>]
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [TkBellExe] "c:\programme\gemeinsame dateien\real\update_ob\realsched.exe" -osboot
mRun: [LogitechCommunicationsManager] "c:\programme\gemeinsame dateien\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\programme\logitech\quickcam\Quickcam.exe" /hide
mRun: [HP Software Update] c:\programme\hp\hp software update\HPWuSchd2.exe
mRun: [ACTray] c:\programme\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\programme\thinkpad\connectutilities\ACWLIcon.exe
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "c:\programme\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\acroba~1.lnk - c:\programme\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\cleana~1.lnk - c:\programme\cisco systems\clean access agent\CCAAgentLauncher.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hpdigi~1.lnk - c:\programme\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\sipgat~1.lnk - c:\programme\sipgate x-lite\sipgateXLite.exe
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxsrvc.dll
Notify: tphotkey - tphklock.dll
LSA: Notification Packages = scecli ACGina

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2007-8-4 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2007-8-4 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-8-8 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-8-8 4224]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-9 148496]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2007-8-4 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-8-4 4442]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-8-15 353672]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2007-8-4 6016]

=============== Created Last 30 ================

2009-03-19 12:17 <DIR> --d----- c:\programme\Trend Micro
2009-03-09 22:19 <DIR> --d----- c:\dokume~1\robert\anwend~1\MailFrontier

==================== Find3M ====================

2009-03-31 23:35 259,850,784 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-31 02:35 3,422,240 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-09 22:20 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-08 21:43 393,488 a------- c:\windows\system32\perfh007.dat
2009-03-08 21:43 64,552 a------- c:\windows\system32\perfc007.dat
2009-02-16 00:10 72,584 a------- c:\windows\zllsputility.exe
2009-02-15 23:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 09:51 1,847,552 a------- c:\windows\system32\win32k.sys
2009-02-09 09:51 1,847,552 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:01 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-04-02 22:31 32 a------- c:\dokume~1\alluse~1\anwend~1\ezsid.dat

============= FINISH: 23:37:15.35 ===============

#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:50 AM

Posted 02 April 2009 - 10:33 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

First go into ZoneAlarm to the Firewall section and then to the main section and click on the advanced button. Uncheck the box that allows VPN, then click OK and close ZoneAlarms interface.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 mcman

mcman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 03 April 2009 - 02:22 AM

Hello Hoov,

Prior to discussing with you, I have not made any alterations or other steps to fix the problem. One or two days before you replied, I did get a prompt from Zone Alarm to update the program in order to enhance protection from Conficker. I did that. It seems like they consider it a minor change (from version 8.0.298.000 to 8.0.298.035).

Based on your instructions, I have:
- Disallowed VPN in ZoneAlarm
- Run Malbytes Anti-Malware

The latter step revealed some infections that look like adware from an online gaming website that I have visited.

Here's the log:


Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:50 AM

Posted 03 April 2009 - 09:13 AM

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

During the next steps you will need to disconnect from the internet and then turn off ZoneAlarm by right clicking on the system tray icon and select shutdown.

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


I am having you run that, simply because ZA said VPN established. Other than that I am not to worried. You are blocking VPN now, so even if it did happen, it no longer functions.

After this, check out your system and let me know how it is functioning, and if there are any problems left, or if they have changed at all.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 mcman

mcman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 05 April 2009 - 01:38 AM

Hi Hoov,

I ran the CCleaner. It deleted about 4GB of garbage. I also ran the Combofix. Log is attached.

Do I need to be concerned about the fact that it says ZoneAlarm AV on-access scanning is disabled and ZoneAlarm FW is disabled? They are both supposed to run.

Otherwise, I don't notice much of a change in my system (there were no directly visible issues before anyways). It seems that the number of processes running on my computer has decreased after running the two programs. That number used to be between 72 and 73, now it's more like 68 according to the task manager.

Thank you,
mcman

Attached Files



#8 mcman

mcman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 06 April 2009 - 12:12 AM

Sorry. I just checked the task manager again after using the computer over the course of the day and the number of running processes is the same as ever.

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:50 AM

Posted 06 April 2009 - 10:44 AM

I am sorry to have left you hanging this weekend. My local area had an internet blackout. Hopefully this is the last problem I will be having for a long while.

Sorry for any inconvenience.

Does ZoneAlarm report that it is on and running? If it does, then don't worry about that entry. Id your computer doing anything abnormal now, or is ZoneAlarm telling you that something is trying to run?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 mcman

mcman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 10 April 2009 - 02:08 AM

Hi,

Sorry it took me a while to answer. I can't see anything abnormal happening. ZoneAlarm does say that it is on and running. However, yesterday, ZoneAlarm virus scan found two issues:

P2P_Worm.Win32.Logpole.c
Kazaa Lite goop 28

The worm was located in HKEY_CURRENT_USER\Software\Kazaa\Local Content and the other thing was located in HKEY_CURRENT_USER\Software\Kazaa. I have no idea how they got there, though. I do not use Kazaa. I had ZoneAlarm delete it.

Are there any other tests I should do?

#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:50 AM

Posted 10 April 2009 - 11:32 AM

Uninstall Kazaa and all the garbage that comes with it. There are instructions here Let me know how it goes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 mcman

mcman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 10 April 2009 - 10:32 PM

Negative. I never installed Kazaa, so I did not find any of the files or programs or registry keys mentioned in the article on my computer (except for Skype, which I do use, but I'm not sure why the article mentions Skype; I'm not aware of any link between Skype and Kazaa).

Thank you,
mcman

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:50 AM

Posted 10 April 2009 - 10:36 PM

DO you have any kids or roommates or other house guests that may have installed kazaa at one time and uninstalled it?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 mcman

mcman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 10 April 2009 - 10:54 PM

I'm the only person who uses the computer. I did use Kazaa before on my old computer five years ago or so. I don't have any memory of ever installing it on this machine. If I did install it, I must have uninstalled it several years ago. So it would still be a little bit weird for ZoneAlarm to complain now. I've been using ZoneAlarm for two or three years.

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:50 AM

Posted 10 April 2009 - 11:37 PM

Ok.

Are you having any other problems?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users