Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tiny App Crashes Explorer, Dials Spy Sites, Can't Find/remove


  • This topic is locked This topic is locked
6 replies to this topic

#1 d_s

d_s

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 15 August 2006 - 03:30 AM

Hello all,

I had a very bad spate of spyware/malware (surfsidekick and others) recently and after many many restarts, adaware scans, spybot scans, zonelabs scans, etc I was able to remove almost all of it. There are still one or two malware apps that cannot be detected or removed automatically, unfortunately.

When I boot my machine I now have Zonealarm watch every process carefully and ask for permission to run (annoying, but what can I do?). I have googled every entry to make sure that I am only allowing good stuff to load - perhaps I missed something.

SUSPECT BEHAVIOR:

Once I click anywhere in the desktop or load the contents of a folder into an explorer window I hear an audible "pop-pop" sound and a tiny, 3-pixel window appears in the upper left of my desktop. Then every once in a while that app (or something else) defocuses the window selection from whatever I'm working on to that app. It's very annoying.

Also, at random intervals I am getting zonealarm warnings that something is trying to phone home to a spy site. ZA blocks the connection but I can't figure out where it's coming from. To be clear, this often happens with no app or explorer window open, and I have not even run FF or IE in the current boot session.

Finally, also randomly, all items on the desktop dissapear. This _looks_ like an explorer.exe crash but I can still use explorer windows. Only desktop items are gone. Manually killing explorer.exe and rerunning it returns desktop stuff for a while.

DIAGNOSTIC:

Adaware, Spybot, MS Malicious Tool and ZA Spy search all come up empty in current scans.

Below is my latest hijackthis log, taken after the tiny app thing shows up in my boot session. I am having a hard time telling which entry is suspect.

Please note, this entry:

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto

... is a dead link. Somewhere along the line an anti-spyware app must have deleted this folder, it is no longer in "program files."

Please note, there are a lot of IBM thinkpad apps and services running as a part of the thinkvantage stuff on my thinkpad. It makes parsing the log harder.

Many thanks for any advice


LOG:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:04 AM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\THINKV~2\AMSG\amsg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\{A4C35848-07CB-1033-0331-060118060001}\Update.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
C:\Program Files\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [amsg] C:\PROGRA~1\THINKV~2\AMSG\amsg.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145779692828
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} (AudioHandlerEmbedded) - http://192.168.2.30/activex/AMC.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://targetrock.dyndns.org/activex/AMC.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\aomparse.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:54 AM

Posted 15 August 2006 - 09:13 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Let's get a look at a more detailed log.




Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 d_s

d_s
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 15 August 2006 - 01:20 PM

Hi Sam, thanks for helping me. Below is the combofix log as requested:



Start Time= Tue 08/15/2006 10:48:25.75
Running from: C:\Documents and Settings\Damon\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MacDrive-iTunes compatibility
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{6FC78AE6-AE37-46BF-AC74-79B8B5223368}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{6FC78AE6-AE37-46BF-AC74-79B8B5223368}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{6FC78AE6-AE37-46BF-AC74-79B8B5223368}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6FC78AE6-AE37-46BF-AC74-79B8B5223368}\InprocServer32]
@="C:\\WINDOWS\\system32\\kcdsl.dll"
"ThreadingModel"="Apartment"

Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-15 10:37:36 13758 ( A.... ) "C:\Program Files\hijackthis.log"
2006-08-15 00:27:50 ( .D... ) "C:\Program Files\Compare It!"
2006-08-10 22:11:20 ( .D... ) "C:\Program Files\Common Files\Lenovo"
2006-08-09 14:41:58 11712 ( ..... ) "C:\WINDOWS\system32\EGATHDRV.SYS"
2006-08-09 14:41:58 11712 ( ..... ) "C:\WINDOWS\system32\EGATHDRV.SYS"
2006-08-08 08:54:22 ( .D... ) "C:\Program Files\Zone Labs"
2006-08-08 01:14:26 1167 ( ..... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-08 01:14:26 1167 ( ..... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-08 01:09:24 ( .D... ) "C:\Program Files\xerox"
2006-08-07 17:15:38 ( .D... ) "C:\Program Files\backups"
2006-08-07 16:32:54 1167 ( ..... ) "C:\WINDOWS\system32\bzbb7e69.sys"
2006-08-07 16:32:54 1167 ( ..... ) "C:\WINDOWS\system32\bzbb7e69.sys"
2006-08-07 15:19:38 ( .D... ) "C:\Documents and Settings\Damon\Application Data\Lavasoft"
2006-08-07 15:18:58 ( .D... ) "C:\Program Files\Lavasoft"
2006-08-07 14:29:18 ( .D... ) "C:\Program Files\Common Files\{A4C35848-07CB-1033-0331-060118060001}"
2006-08-07 14:11:34 13312 ( ..... ) "C:\WINDOWS\system32\BASSMOD.dll"
2006-08-07 14:10:44 ( .D... ) "C:\Documents and Settings\Damon\Application Data\Genie-Soft"
2006-08-01 19:44:58 ( .D... ) "C:\Program Files\id Software"
2006-07-30 10:11:26 ( .D... ) "C:\Program Files\Yahoo!"
2006-07-27 06:24:46 679424 ( ..... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-21 18:55:38 127578 ( ..... ) "C:\WINDOWS\system32\tsuninst.exe"
2006-07-21 01:24:44 72704 ( ..... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-17 20:40:22 ( .D... ) "C:\Program Files\AirPort"
2006-07-14 08:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 13:20:50 ( .D... ) "C:\Program Files\PeerGuardian2"
2006-07-13 06:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-11 16:52:52 23552 ( A.... ) "C:\WINDOWS\system32\psasrv.exe"
2006-07-11 14:18:32 ( .D... ) "C:\Program Files\Cloud"
2006-07-05 03:55:02 984064 ( ..... ) "C:\WINDOWS\system32\kernel32.dll"
2006-07-04 10:22:24 0 ( ..... ) "C:\Documents and Settings\Damon\Application Data\avery test"
2006-07-04 10:21:58 0 ( ..... ) "C:\Documents and Settings\Damon\Application Data\avery label test"
2006-07-04 09:24:20 ( .D... ) "C:\Program Files\Avery Wizard"
2006-06-27 16:22:12 ( .D... ) "C:\Program Files\Axis Communications"
2006-06-27 16:22:06 38 ( ..... ) "C:\WINDOWS\datsept.dll"
2006-06-27 16:22:06 26 ( ..... ) "C:\WINDOWS\ipviewer6.dll"
2006-06-26 18:32:38 778240 ( ..... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-06-26 18:32:36 778240 ( ..... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-06-26 18:32:36 761856 ( ..... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-06-26 18:32:36 620180 ( ..... ) "C:\WINDOWS\system32\DivX.dll"
2006-06-26 10:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 10:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-25 11:28:46 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-21 03:49:48 53248 ( ..... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-06-21 03:43:10 520192 ( ..... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-06-21 03:43:06 3596288 ( ..... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-06-21 03:42:58 1044480 ( ..... ) "C:\WINDOWS\system32\libdivx.dll"
2006-06-21 03:42:58 200704 ( ..... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-06-21 03:34:22 593920 ( ..... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-06-21 03:34:22 344064 ( ..... ) "C:\WINDOWS\system32\dpus11.dll"
2006-06-21 03:34:22 294912 ( ..... ) "C:\WINDOWS\system32\dpu11.dll"
2006-06-21 03:34:22 294912 ( ..... ) "C:\WINDOWS\system32\dpu10.dll"
2006-06-21 03:34:22 200704 ( ..... ) "C:\WINDOWS\system32\dtu100.dll"
2006-06-21 03:34:22 90112 ( ..... ) "C:\WINDOWS\system32\dpl100.dll"
2006-06-21 03:34:22 57344 ( ..... ) "C:\WINDOWS\system32\dpv11.dll"
2006-06-21 03:33:42 118784 ( ..... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-06-21 03:33:42 12288 ( ..... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"
2006-06-19 22:00:08 ( .D... ) "C:\Program Files\EPSON"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-18 17:54:58 394872 ( ..... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-06-18 17:54:48 75776 ( ..... ) "C:\WINDOWS\zllsputility.exe"
2006-06-18 17:54:26 83960 ( ..... ) "C:\WINDOWS\system32\zlcomm.dll"
2006-06-18 17:54:26 71672 ( ..... ) "C:\WINDOWS\system32\zlcommdb.dll"
2006-06-18 17:54:24 100344 ( ..... ) "C:\WINDOWS\system32\vsxml.dll"
2006-06-18 17:54:24 59384 ( ..... ) "C:\WINDOWS\system32\vswmi.dll"
2006-06-18 17:54:22 440312 ( ..... ) "C:\WINDOWS\system32\vsutil.dll"
2006-06-18 17:54:22 71672 ( ..... ) "C:\WINDOWS\system32\vsregexp.dll"
2006-06-18 17:54:20 268280 ( ..... ) "C:\WINDOWS\system32\vspubapi.dll"
2006-06-18 17:54:20 157688 ( ..... ) "C:\WINDOWS\system32\vsinit.dll"
2006-06-18 17:54:20 104440 ( ..... ) "C:\WINDOWS\system32\vsmonapi.dll"
2006-06-18 17:54:18 83960 ( ..... ) "C:\WINDOWS\system32\vsdata.dll"
2006-06-08 15:11:36 262144 ( ..... ) "C:\WINDOWS\system32\wrap_oal.dll"
2006-06-08 15:11:36 86016 ( ..... ) "C:\WINDOWS\system32\OpenAL32.dll"
2006-06-04 13:29:22 53248 ( ..... ) "C:\WINDOWS\PalmDevC.dll"
2006-05-31 17:51:20 796584 ( ..... ) "C:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-05-19 05:59:42 111616 ( ..... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( ..... ) "C:\WINDOWS\system32\iphlpapi.dll"
2005-11-28 10:48:40 421888 ( ..... ) "C:\Program Files\putty.exe"
2005-02-16 11:06:00 218112 ( ..... ) "C:\Program Files\HijackThis.exe"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-08 11:40 2,145,832,960 C:\hiberfil.sys
2006-08-08 08:54 83,960 C:\WINDOWS\system32\zlcomm.dll
2006-08-08 08:54 796,584 C:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-08-08 08:54 77,824 C:\WINDOWS\system32\driverif.dll
2006-08-08 08:54 75,776 C:\WINDOWS\zllsputility.exe
2006-08-08 08:54 733,236 C:\WINDOWS\system32\vete.dll
2006-08-08 08:54 71,672 C:\WINDOWS\system32\zlcommdb.dll
2006-08-08 08:54 71,672 C:\WINDOWS\system32\vsregexp.dll
2006-08-08 08:54 59,384 C:\WINDOWS\system32\vswmi.dll
2006-08-08 08:54 394,872 C:\WINDOWS\system32\vsdatant.sys
2006-08-08 08:54 268,280 C:\WINDOWS\system32\vspubapi.dll
2006-08-08 08:54 12,288 C:\WINDOWS\system32\vetntmsg.dll
2006-08-08 08:54 11,264 C:\WINDOWS\system32\SpOrder.dll
2006-08-08 08:54 104,440 C:\WINDOWS\system32\vsmonapi.dll
2006-08-08 08:54 100,344 C:\WINDOWS\system32\vsxml.dll
2006-08-08 08:52 83,960 C:\WINDOWS\system32\vsdata.dll
2006-08-08 08:52 440,312 C:\WINDOWS\system32\vsutil.dll
2006-08-08 08:52 157,688 C:\WINDOWS\system32\vsinit.dll
2006-08-08 01:14 1,167 C:\WINDOWS\system32\aaa00000.sys
2006-08-07 14:31 1,167 C:\WINDOWS\system32\bzbb7e69.sys
2006-08-07 14:30 127,578 C:\WINDOWS\system32\tsuninst.exe
2006-08-07 14:09 13,312 C:\WINDOWS\system32\BASSMOD.dll
2006-07-11 16:52 23,552 C:\WINDOWS\system32\psasrv.exe
2006-07-04 09:24 827,904 C:\WINDOWS\system32\Ter32.dll
2006-07-04 09:24 299,520 C:\WINDOWS\uninst.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TpShocks"="TpShocks.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"LPManager"="C:\\PROGRA~1\\THINKV~2\\PrdCtr\\LPMGR.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"cssauth"="\"C:\\Program Files\\IBM ThinkVantage\\Client Security Solution\\cssauth.exe\" silent"
"PDService.exe"="\"C:\\Program Files\\IBM ThinkVantage\\SafeGuard PrivateDisk\\pdservice.exe\""
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"ACTray"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\ACTray.exe"
"ACWLIcon"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\ACWLIcon.exe"
"PWRMGRTR"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"MDDiskProtect.exe"="C:\\Program Files\\Mediafour\\MacDrive\\MDDiskProtect.exe"
"MediafourGettingStartedWithMacDrive6"="\"C:\\Program Files\\Mediafour\\MacDrive\\MacDrive.exe\" /runonce"
"Mediafour Mac Volume Notifications"="\"C:\\Program Files\\Common Files\\Mediafour\\MACVNTFY.EXE\" /auto"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"amsg"="C:\\PROGRA~1\\THINKV~2\\AMSG\\amsg.exe"
"outlook"="C:\\Program Files\\outlook\\outlook.exe /auto"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"TVT Scheduler Proxy"="C:\\Program Files\\Common Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""
"TPKMAPMN"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{A4C35848-07CB-1033-0331-060118060001}"="\"C:\\Program Files\\Common Files\\{A4C35848-07CB-1033-0331-060118060001}\\Update.exe\" mc-110-12-0000140"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows Media Player\\kyze.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""




Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\PMTask.job

Completion time: Tue 08/15/2006 10:57:16.39
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-15.104825.txt

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:54 AM

Posted 15 August 2006 - 05:12 PM

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"=-
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.




Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\aaa00000.sys
    C:\WINDOWS\system32\bzbb7e69.sys
    C:\Program Files\Common Files\{A4C35848-07CB-1033-0331-060118060001}\Update.exe
    C:\Program Files\Common Files\{A4C35848-07CB-1033-0331-060118060001}\Services.dll
    C:\Program Files\Common Files\{A4C35848-07CB-1033-0331-060118060001}
    C:\WINDOWS\system32\tsuninst.exe
    C:\Program Files\Windows Media Player\kyze.html




  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
=============


Please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 d_s

d_s
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 17 August 2006 - 11:53 AM

Hi Sam,

Thanks for continuing to help. Below are both the KillBox and HijackThis logs from this morning:

KILLBOX:

Pocket Killbox version 2.0.0.648
Running on Windows XP as Damon(Administrator)
was started @ Thursday, August 17, 2006, 9:44 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\aaa00000.sys


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\bzbb7e69.sys


# 3 [Delete on Reboot]
Path = C:\Program Files\Common Files\{A4C35848-07CB-1033-0331-060118060001}\Update.exe


# 4 [Delete on Reboot]
Path = C:\Program Files\Common Files\{A4C35848-07CB-1033-0331-060118060001}\Services.dll


# 5 [Delete on Reboot]
Path = C:\Program Files\Common Files\{A4C35848-07CB-1033-0331-060118060001}


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\tsuninst.exe


I Rebooted @ 9:45:55 AM
Killbox Closed(Exit) @ 9:45:58 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Damon(Administrator)
was started @ Thursday, August 17, 2006, 9:50 AM


HIJACKTHIS:



Logfile of HijackThis v1.99.1
Scan saved at 9:52:21 AM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\THINKV~2\AMSG\amsg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Damon\Desktop\KillBox.exe
C:\WINDOWS\notepad.exe
C:\Program Files\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [amsg] C:\PROGRA~1\THINKV~2\AMSG\amsg.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145779692828
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} (AudioHandlerEmbedded) - http://192.168.2.30/activex/AMC.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://targetrock.dyndns.org/activex/AMC.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



END

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:54 AM

Posted 17 August 2006 - 06:55 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)



Reboot and post a new hijackthis log.
Let me know how your computer is running now. Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:54 AM

Posted 03 September 2006 - 02:16 PM

Unfortunately there has been no response, and this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users