Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
54 replies to this topic

#1 silclay

silclay

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 20 October 2010 - 02:05 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:13 PM, on 10/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\notes\nslsvice.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\pstartSr.exe
C:\Program Files\CheckPoint\Device Agent\psda.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\eTCrtMng.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\TalApplication\xxxxApplication.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\NetPower\NetSavePower.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\Temp\pccntupd.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\hh.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\mydoc\HijackThis\Hijack.This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xxxxconnect.il.xxxx.corp/apps/hr/xxxxconnect.nsf/($All)/009CF71F8B6EDC0742256E23002B8C75?OpenDocument
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: REM 10.128.4.2 zenwsimport
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: AGFormHelperObj Class - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\PROGRA~1\agat\AGForm\AGFORM~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ImTranslator Pro Toolbar - {fae3e6b1-1936-40d6-9acc-59ebcf661ccb} - C:\Program Files\ImTranslator_Pro\tbImT0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ImTranslator Pro Toolbar - {fae3e6b1-1936-40d6-9acc-59ebcf661ccb} - C:\Program Files\ImTranslator_Pro\tbImT0.dll
O3 - Toolbar: AGForms - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [eTCertManger] C:\WINDOWS\system32\eTCrtMng.exe
O4 - HKLM\..\Run: [Check Point Endpoint Tray Application] C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe
O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [xxxxApplicationLauncher] C:\Program Files\TalApplication\xxxxApplication.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NetPower] C:\Program Files\NetPower\NetSavePower.exe /R
O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O8 - Extra context menu item: ??? ?&???? Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ??? ?-Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - http://erpcontp03.il.xxxx.corp/imtapp/res/jar/cnsload.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IL.xxxx.Corp
O17 - HKLM\Software\..\Telephony: DomainName = IL.xxxx.Corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IL.xxxx.Corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = IL.xxxx.Corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = IL.xxxx.Corp
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - Unknown owner - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (file missing)
O23 - Service: AVG WatchDog (avgwd) - Unknown owner - C:\Program Files\AVG\AVG10\avgwdsvc.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\notes\nslsvice.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pointsec - Check Point Software Tech Ltd - C:\WINDOWS\system32\Prot_srv.exe
O23 - Service: Pointsec Service Start (Pointsec_start) - Check Point Software Tech Ltd - C:\WINDOWS\system32\pstartSr.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Endpoint Security Device Agent (PSDA) - Check Point Seoftware Technologies Ltd. - C:\Program Files\CheckPoint\Device Agent\psda.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: xCmd Service (xCmdSvc) - Unknown owner - C:\WINDOWS\System32\drivers\etc\xCmdSvc.exe (file missing)

--
End of file - 22938 bytes

Edited by gringo_pr, 14 November 2010 - 01:44 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:10 AM

Posted 29 October 2010 - 03:07 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok,

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:10 AM

Posted 01 November 2010 - 01:14 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 silclay

silclay
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 01 November 2010 - 01:45 AM

Gringo,
I am so sorry for taking time to get back to you - it's taken this long for me to get the computer in a condition where I could access the internet without freezing the PC after a few minutes

#5 silclay

silclay
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 01 November 2010 - 01:59 AM

Gringo,
While I have administrator status - the defogger will not run because I am not logged in as an administrator

So I wont be able to run defogger

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:10 AM

Posted 01 November 2010 - 02:01 AM

ok run the rest


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 silclay

silclay
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 01 November 2010 - 01:20 PM

DDS.txt first (others to follow)


DDS (Ver_10-10-31.01) - NTFSx86
Run by dsilver at 20:07:39.77 on Mon 11/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1255.1.1033.18.2038.578 [GMT 2:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {061AE366-576E-4716-93BD-961A93D59089}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\notes\nslsvice.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\pstartSr.exe
C:\Program Files\CheckPoint\Device Agent\psda.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\eTCrtMng.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\WINDOWS\system32\iprntctl.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\TalApplication\xxxxApplication.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\NetPower\NetSavePower.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcrobatInfo.exe
C:\mydoc\HijackThis\Bleeping Computer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://xxxxconnect.il.xxxx.corp/apps/hr/xxxxconnect.nsf/($All)/009CF71F8B6EDC0742256E23002B8C75?OpenDocument
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - c:\progra~1\agat\agform\AGFORM~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ImTranslator Pro Toolbar: {fae3e6b1-1936-40d6-9acc-59ebcf661ccb} - c:\program files\imtranslator_pro\tbImT0.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: ImTranslator Pro Toolbar: {fae3e6b1-1936-40d6-9acc-59ebcf661ccb} - c:\program files\imtranslator_pro\tbImT0.dll
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - c:\program files\agat\agform\AGForms.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrackPointSrv] tp4mon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [eTCertManger] c:\windows\system32\eTCrtMng.exe
mRun: [Check Point Endpoint Tray Application] c:\program files\common files\check point\uiframework\cptray.exe
mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [xxxxApplicationLauncher] c:\program files\talapplication\xxxxApplication.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [NetPower] c:\program files\netpower\NetSavePower.exe /R
mRun: [gcasServ] "c:\program files\giant company software\giant antispyware\gcasServ.exe"
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: ??? ?&???? Bluetooth... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: ??? ?-Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxp://erpcontp03.il.xxxx.corp/imtapp/res/jar/cnsload.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: GIANT AntiSpyware Service Hook: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\giant company software\giant antispyware\gcasServHook.dll
LSA: Authentication Packages = msv1_0 nwv1_0

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-19 64288]
R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [2010-1-18 25300]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2009-7-21 223664]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2010-1-18 34671]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-10-19 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-16 98392]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-6-18 47504]
R2 iPCAgent;iPCAgent;c:\program files\ipass\ipassconnect\iPCAgent.exe [2006-1-19 90112]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-26 1374968]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2009-7-21 629296]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2009-7-21 174640]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-1-18 53248]
R2 PSDA;Endpoint Security Device Agent;c:\program files\checkpoint\device agent\psda.exe [2009-7-22 501032]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-10-19 69976]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-3-31 51792]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2009-3-27 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2009-3-27 36368]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2008-6-18 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-6-18 673872]
R3 AKSUP;AKSUP;c:\windows\system32\drivers\aksup.sys [2010-1-18 34406]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2008-6-18 2235760]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-26 15008]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-4-1 340496]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2009-4-1 497008]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-1-11 689416]
S3 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg10\identity protection\agent\bin\avgidsagent.exe" --> c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [?]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 avgwd;AVG WatchDog;"c:\program files\avg\avg10\avgwdsvc.exe" --> c:\program files\avg\avg10\avgwdsvc.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-10-13 27064]
S3 xCmdSvc;xCmd Service;c:\windows\system32\drivers\etc\xcmdsvc.exe --> c:\windows\system32\drivers\etc\xCmdSvc.exe [?]
UnknownUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2010-11-01 18:07:36 98816 ----a-w- c:\temp\43.tmp\SED.DAT
2010-11-01 18:07:36 518144 ----a-w- c:\temp\43.tmp\SWREG.DAT
2010-11-01 18:07:35 85504 ----a-w- c:\temp\43.tmp\mbr.dat
2010-11-01 18:07:35 256512 ----a-w- c:\temp\43.tmp\PEV.DAT
2010-11-01 16:12:22 -------- d-----w- c:\docume~1\dsilver\applic~1\smkits
2010-11-01 08:14:14 -------- d-----w- c:\windows\pss
2010-11-01 07:29:38 -------- d-----w- c:\windows\ms
2010-10-31 09:00:40 -------- d-----w- c:\docume~1\dsilver\applic~1\FileOpen
2010-10-31 09:00:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\FileOpen
2010-10-31 08:56:36 -------- d-----w- c:\program files\FileOpen
2010-10-27 06:27:26 -------- d-----w- c:\program files\GIANT Company Software
2010-10-27 06:23:48 -------- d-----w- c:\windows\Downloaded Installations
2010-10-24 09:02:36 212480 ----a-w- c:\temp\swxcacls.exe
2010-10-24 09:02:34 139776 ----a-w- c:\temp\swreg.exe
2010-10-24 05:18:08 -------- d-----w- c:\windows\system32\Icons
2010-10-23 17:13:26 -------- d-----w- c:\windows\system32\Logs
2010-10-22 05:49:25 -------- d-sha-r- C:\cmdcons
2010-10-22 05:39:18 77312 ----a-w- c:\windows\MBR.exe
2010-10-22 05:39:16 256512 ----a-w- c:\windows\PEV.exe
2010-10-22 05:39:12 98816 ----a-w- c:\windows\sed.exe
2010-10-22 05:39:12 161792 ----a-w- c:\windows\SWREG.exe
2010-10-19 15:15:59 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-10-19 15:15:58 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-10-19 14:23:52 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-19 06:29:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-19 05:43:12 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{A4716110-A599-4517-A21D-0B81799F4676}
2010-10-19 05:42:19 -------- d-----w- c:\program files\Lavasoft
2010-10-14 12:30:13 -------- d-----w- c:\docume~1\dsilver\locals~1\applic~1\Temp
2010-10-14 12:27:19 -------- d-----w- c:\docume~1\dsilver\locals~1\applic~1\Google
2010-10-14 12:20:31 -------- d-----w- c:\docume~1\dsilver\locals~1\applic~1\Deployment
2010-10-13 17:19:11 -------- d-----w- c:\docume~1\dsilver\applic~1\Malwarebytes
2010-10-13 17:18:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-13 05:23:20 -------- d-----w- c:\docume~1\dsilver\locals~1\applic~1\VS Revo Group
2010-10-13 05:22:17 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-10-13 05:22:11 -------- d-----w- c:\program files\VS Revo Group
2010-10-11 11:23:49 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-10-11 11:21:37 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-11 11:18:08 -------- d-----w- c:\program files\AVG
2010-10-11 11:16:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-06 14:13:33 -------- d-----w- c:\program files\CCleaner

==================== Find3M ====================

2042-04-01 22:14:00 169256 ----a-w- c:\windows\system32\LoginFilter.dll
2010-10-11 10:59:18 582 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 06:24:49 256 ----a-w- C:\pool.bin
2006-02-26 09:19:42 1176064 ----a-w- c:\program files\winscp376.exe

============= FINISH: 20:17:54.89 ===============

Edited by gringo_pr, 14 November 2010 - 01:44 AM.


#8 silclay

silclay
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 01 November 2010 - 01:22 PM

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-31.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/18/2010 3:46:14 PM
System Uptime: 11/1/2010 6:05:45 PM (2 hours ago)

Motherboard: LENOVO | | 1706W6W
Processor: Genuine Intel® CPU T2400 @ 1.83GHz | None | 987/167mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 134.66 GiB free.
F: is NetworkDisk (NTFS) - 4025 GiB total, 1288.862 GiB free.
L: is NetworkDisk (NTFS) - 6300 GiB total, 1269.194 GiB free.
N: is NetworkDisk (NTFS) - 2048 GiB total, 425.668 GiB free.
P: is NetworkDisk (NTFS) - 4520 GiB total, 200.101 GiB free.
V: is NetworkDisk (NTFS) - 4025 GiB total, 1288.862 GiB free.
X: is NetworkDisk (NTFS) - 4520 GiB total, 200.101 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


תוכנת Intel® PROSet/Wireless
2007 Microsoft Office Suite Service Pack 2 (SP2)
Ad-Aware
Adobe Acrobat 8 Professional ME
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Atmel TPM Driver 3.0.0.15
Avanquest update
BOSaNOVA 7.12
CCleaner
Check Point Endpoint Security - Full Disk Encryption
Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2
Citrix XenApp Plugin for Hosted Apps
Cole2k Media - Codec Pack (Advanced) 7.1.0
Compatibility Pack for the 2007 Office system
Configuration Manager Client
CuteFTP 7 Professional
DameWare Mini Remote Control Client Agent Service
E-GOV.IL Sign&Verify Software - AGForm toolbar
Endpoint Security MI Device Agent
eToken Run Time Environment 3.65
Facsys
FileOpen Plug-in for Adobe Acrobat® and Acrobat Reader®
GIANT AntiSpyware
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Imaging Pro
ImTranslator_Pro Toolbar
Intel® Graphics Media Accelerator Driver
Intel® Network Connections Drivers
iPassConnect
J2SE Runtime Environment 5.0 Update 11
Java Auto Updater
Java™ 6 Update 18
Java™ 6 Update 20
Java™ 6 Update 3
Lotus Notes
mCore
mDriver
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2003 Web Components
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office XP Hebrew User Interface Pack
Microsoft Office XP Professional with FrontPage
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
mMHouse
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
mWlsSafe
Nero 6 Ultra Edition
NetPower
NICI (Shared) U.S./Worldwide (128 bit) (2.7.3-1)
Novell Client for Windows
Novell iPrint Client v04.28.00
On Screen Display
Oracle JInitiator 1.3.1.21
Oracle Web Conferencing Console
PSNext (512mb)
RDC
Revo Uninstaller Pro 2.4.1
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB982802)
SoundMAX
SQLXML4
Symantec Enterprise Vault Outlook Add-In
System Update
TalApplication
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Utility
ThinkVantage Active Protection System
Trend Micro OfficeScan Client
Uninstall 1.0.0.1
Update for Outlook 2007 Junk Email Filter (kb2291599)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WIMGAPI
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Enterprise Deployment
WinZip 11.0

==== End Of File ===========================

#9 silclay

silclay
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 01 November 2010 - 01:26 PM

As for Rootkit Unhooker my computer says it is not a valid win32 program

what should I do?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:10 AM

Posted 01 November 2010 - 03:25 PM

Try to redownload it and run it and if it still says the same thing then rename RKunhooker and see if it will run


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 silclay

silclay
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 02 November 2010 - 01:21 AM

A command window appears then disappears - that's all

#12 silclay

silclay
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 02 November 2010 - 01:32 AM

It seems that the download of the RKU is not completing as a message appears that access is denied
strange - no?

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:10 AM

Posted 02 November 2010 - 01:46 AM

Hello

:multiple Anti Virus programs:

It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

AV: Trend Micro OfficeScan Antivirus
AV: Lavasoft Ad-Watch Live! Anti-Virus


Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove one of them.

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 02 November 2010 - 01:46 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 silclay

silclay
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 02 November 2010 - 01:54 AM

Hi I hadn't read your post before I downloaded "Rootkit Unhooker LE 3.8.388.590 SR2"
direct from Rootkit.com
http://www.rootkit.com/blog.php?newsid=1019
the file is called RkU3.8.388.590.exe
should I run this?

I have previously run ComboFix about a week ago - do you want me to do that again?
The Trend Micro OfficeScan Antivirus is from work and I can not shut that down
The AdAware is there because it is the only thing that is picking up a Trojan Downloader all the time
each scan identifies a few and gets rid of them and the next scan releals more
part of the reason why I need help here
Is it enough to close them down or must they be uninstalled?

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:10 AM

Posted 02 November 2010 - 02:03 AM

Yes try and run that version and let me know if it works
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users