Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud(?) / Virtumundo Infection


  • Please log in to reply
5 replies to this topic

#1 kevlar21

kevlar21

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 06 December 2006 - 09:07 PM

Hello,

I was (or still am?) infected with some kind of spyware/malware.

Here is what happened. I downloaded some exe from the Internet using opera.
Checked it with my antivirus program (f-prot) which didn't generate any warning.
Started the exe. Then for a split-second a command-prompt-window popped up and then closed.
The file disappeared after that by itself (self-delete?).

Immeadiatly after this IEXPLORE.EXE tried to access the following two ips/sites:

- 216.195.50.56:80 (dns probably here4search.biz)
- 85.249.131.44:80 (dns probably smart-security.biz)

These two access attempts where blocked either by me, as ZoneAlarm told me IEXPLORE wants to
access the Internet and I clicked deny, or by "SpyBot Search and Destory's" Resident-SD-Helper.

I already performed a number of steps and now wanted to know if there is anything left to do
Therefore I wrote down a description of what I did and at the end I appended some log-files:

1) Cleaned out the temporary internet files and temp files with cleanmgr

2) Full system scan with up-to-date "AdAware" -> Nothing found (beside some cookies)

3) Spyware scan with up-to-date "Spybot Search & Destroy":
- SmitFraud-C.Toolbar888 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR]
This was found and removed

4) Full system scan with up-to-date F-Prot Antivirus which found:
- HTML/IFrameBoF@expl
- JS/Linker.V@troj
both html-files in the Cache of Opera. Removed those two files manually. I guess I got those while downloading the exe.

5) Full system scan with "Housecall Anti Virus" of Trendmicro which found:
- TSPY_CIMUZ
- TSPY_AGENT.TQ
- EXPL_EXECod.A
- ADWARE_VIRTUMUNDO

All four were sucessfully removed said the tool

6) Full system scan with "Panda Anti Virus - Active Scan":
Which found the following entries (I'm nearly sure that the last three files in the list are "false positives")
--- START PANDA LOG ---

Incident / Status / Location

Adware:Adware/PurityScan / Not disinfected / C:\WINDOWS\system32\winmbj32.dll
Possible Virus. / Not disinfected / C:\Programme\Lenovo\System Update\Tools.dll
Virus:Eicar.Mod / Not disinfected / C:\Programme\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\data1.cab[fpav-help.chm][/prob-scan-ok.html]
Virus:Eicar.Mod / Not disinfected / E:\Programme\FSI\F-Prot\fpav-help.chm[/prob-scan-ok.html]

--- END PANDA LOG ---

7) Used VundoFix V6.2.13 which removed C:\WINDOWS\SYSTEM32\winmbj32.dll which I previously was unable to remove manually not even in "Safe mode" after "regsvr32 /u C:\WINDOWS\SYSTEM32\winmbj32.dll"

8) Used SmitFraudFix v2.128 which generated the following logs (I removed some empty lines for better readability):

First using option 1 (Only search):

--- START SmitFraudFix Search LOG ---
SmitFraudFix v2.128

Scan done at 1:29:56,21, 07.12.2006
Run from C:\Dokumente und Einstellungen\Jimbo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Jimbo
»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Jimbo\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\Jimbo\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End

--- END SmitFraudFix Search LOG ---

Second using the option 2 (clean)

--- START SmitFraudFix Clean LOG ---
SmitFraudFix v2.128

Scan done at 1:31:31,09, 07.12.2006
Run from C:\Dokumente und Einstellungen\Jimbo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End

--- END SmitFraudFix Clean LOG ---´

9) Then did a full system scan with an up-to-date version of "AVG Anti-Spyware" in Safe Mode which only found 3 Cookies (Overture, Ivwbox, Komtrack)

10) A scan with Combofix with the following log:

--- START COMBOFIX LOG ---
Jimbo - 06-12-07 2:03:36,81 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Dokumente und Einstellungen\Jimbo\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-07 to 2006-12-07 ))))))))))))))))))))))))))))))))))


2006-12-07 01:36 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-07 00:58 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-07 00:53 <DIR> d-------- C:\VundoFix Backups
2006-12-06 19:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-06 18:02 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\Intel
2006-12-06 14:45 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\.housecall6.6
2006-12-06 14:44 <DIR> d-------- C:\WINDOWS\Sun
2006-12-06 14:44 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\Sun
2006-12-06 14:15 4,996 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-06 13:03 19,456 --a------ C:\WINDOWS\system32\simptcp.dll
2006-12-06 12:58 <DIR> d--hs---- C:\Config.Msi
2006-12-06 12:20 419,200 --a------ C:\WINDOWS\system32\drivers\FSTOPW.sys
2006-12-06 12:03 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2006-12-06 01:25 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\OfficeUpdate12
2006-12-06 01:24 <DIR> d-------- C:\Programme\Adobe
2006-12-06 01:15 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-12-06 01:13 <DIR> d-------- C:\WINDOWS\tiinst
2006-12-06 00:16 173,672 --a------ C:\WINDOWS\swiif.exe
2006-12-05 17:22 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\InterVideo
2006-12-05 17:18 <DIR> d-------- C:\Programme\Microsoft Visual Studio
2006-12-05 17:18 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Designer
2006-12-05 17:17 <DIR> d-------- C:\WINDOWS\ShellNew
2006-12-05 15:59 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-12-05 15:59 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-12-05 15:17 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-12-05 13:14 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Java
2006-12-05 13:11 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\Lavasoft
2006-12-05 13:06 42,920 --a------ C:\WINDOWS\system32\vsutil_loc0407.dll
2006-12-05 13:06 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-05 13:05 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-05 12:59 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-12-05 12:19 <DIR> d-------- C:\WINDOWS\system32\(null)
2006-12-05 12:18 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Lenovo
2006-12-05 11:58 0 -rahs---- C:\MSDOS.SYS
2006-12-05 11:57 <DIR> d--h----- C:\Programme\Zero G Registry
2006-12-05 11:56 <DIR> d--h----- C:\Dokumente und Einstellungen\Jimbo\InstallAnywhere
2006-12-05 11:52 <DIR> d-------- C:\Programme\7-Zip
2006-12-05 11:48 <DIR> d--hs---- C:\RECYCLER
2006-12-05 11:48 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\Macromedia
2006-12-05 11:40 <DIR> d-------- C:\WINDOWS\IBM
2006-12-05 11:34 <DIR> d-------- C:\Programme\MSXML 4.0
2006-12-05 11:34 <DIR> d-------- C:\c29403ddf02d1573ea1947
2006-12-05 11:29 <DIR> d-------- C:\WINDOWS\pss
2006-12-05 11:25 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Windows Genuine Advantage
2006-12-05 11:03 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-05 11:01 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-12-05 11:01 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-12-05 11:00 <DIR> d---s---- C:\Dokumente und Einstellungen\Jimbo\UserData
2006-12-05 11:00 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google
2006-12-04 20:09 <DIR> dr-h----- C:\Dokumente und Einstellungen\Jimbo\SendTo
2006-12-04 20:09 <DIR> dr-h----- C:\Dokumente und Einstellungen\Jimbo\Recent
2006-12-04 20:09 <DIR> dr-h----- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\.
2006-12-04 20:09 <DIR> dr-h----- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten
2006-12-04 20:09 <DIR> dr------- C:\Dokumente und Einstellungen\Jimbo\Startmen�
2006-12-04 20:09 <DIR> dr------- C:\Dokumente und Einstellungen\Jimbo\Favoriten
2006-12-04 20:09 <DIR> dr------- C:\Dokumente und Einstellungen\Jimbo\Eigene Dateien
2006-12-04 20:09 <DIR> d--h----- C:\Dokumente und Einstellungen\Jimbo\Vorlagen
2006-12-04 20:09 <DIR> d--h----- C:\Dokumente und Einstellungen\Jimbo\Netzwerkumgebung
2006-12-04 20:09 <DIR> d--h----- C:\Dokumente und Einstellungen\Jimbo\Lokale Einstellungen
2006-12-04 20:09 <DIR> d--h----- C:\Dokumente und Einstellungen\Jimbo\Druckumgebung
2006-12-04 20:09 <DIR> d---s---- C:\Dokumente und Einstellungen\Jimbo\Cookies
2006-12-04 20:09 <DIR> d---s---- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\Microsoft
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Desktop
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\ThinkVantage
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\Symantec
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\Identities
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\IBM
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\Google
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\ATI
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\Anwendungsdaten\..
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\..
2006-12-04 20:09 <DIR> d-------- C:\Dokumente und Einstellungen\Jimbo\.
2006-12-04 20:04 <DIR> d-------- C:\WINDOWS\system32\Client Security


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 00:45 -------- d-------- C:\Programme\Internet Explorer
2006-12-06 20:24 -------- d-------- C:\Programme\ThinkVantage Fingerprint Software
2006-12-06 13:01 -------- d-------- C:\Programme\Symantec
2006-12-06 13:01 -------- d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared
2006-12-06 12:58 -------- d-------- C:\Programme\Gemeinsame Dateien\Microsoft Shared
2006-12-06 12:20 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-12-06 01:13 -------- d-------- C:\Programme\ThinkPad
2006-12-06 01:12 -------- d-------- C:\Programme\Intel
2006-12-06 00:55 11712 --a------ C:\WINDOWS\system32\EGATHDRV.SYS
2006-12-05 17:18 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-12-05 17:17 -------- d-------- C:\Programme\Gemeinsame Dateien\System
2006-12-05 12:19 -------- d-------- C:\Programme\Lenovo
2006-12-05 11:38 -------- d-------- C:\Programme\Google
2006-12-05 11:31 -------- d-------- C:\Programme\Windows Media Player
2006-12-05 11:31 -------- d-------- C:\Programme\Outlook Express
2006-12-05 11:30 -------- d-------- C:\Programme\Messenger
2006-12-04 20:09 0 --ah----- C:\IO.SYS
2006-12-04 20:09 0 --ah----- C:\CONFIG.SYS
2006-12-04 20:09 0 --ah----- C:\AUTOEXEC.BAT
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-26 12:34 -------- d-------- C:\Programme\Diskeeper Corporation
2006-10-26 12:32 109056 --a------ C:\WINDOWS\system32\pxinsi64.exe
2006-10-26 12:32 108544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2006-10-26 12:32 -------- d-------- C:\Programme\TVT SMBus
2006-10-26 12:32 -------- d-------- C:\Programme\SMI2
2006-10-26 12:24 -------- d-------- C:\Programme\IBM ThinkVantage
2006-10-26 12:23 -------- d-------- C:\Programme\Gemeinsame Dateien\InterVideo
2006-10-26 12:22 -------- d-------- C:\Programme\PCDR5
2006-10-26 12:22 -------- d-------- C:\Programme\InterVideo
2006-10-26 12:21 -------- d-------- C:\Programme\Sonic
2006-10-26 12:21 -------- d-------- C:\Programme\Multimedia Center for Think Offerings
2006-10-26 12:21 -------- d-------- C:\Programme\Gemeinsame Dateien\SureThing Shared
2006-10-26 12:21 -------- d-------- C:\Programme\Gemeinsame Dateien\Sonic Shared
2006-10-26 12:19 -------- d-------- C:\Programme\ThinkVantage
2006-10-26 12:17 -------- d-------- C:\Programme\Windows Media Connect
2006-10-26 12:15 -------- d-------- C:\Programme\CONEXANT
2006-10-26 12:11 -------- d-------- C:\Programme\ATI Technologies
2006-10-26 12:06 -------- d-------- C:\Programme\Gemeinsame Dateien\snp2std
2006-10-26 12:05 -------- d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2006-10-26 12:04 21275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-10-26 12:03 -------- d-------- C:\Programme\Gemeinsame Dateien\InstallShield
2006-10-26 11:49 -------- d-------- C:\Programme\Analog Devices
2006-10-26 11:48 -------- d-------- C:\Programme\Synaptics
2006-10-13 13:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 13:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 13:35 146432 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 11:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-09-30 09:18 524288 --a------ C:\WINDOWS\opuc.dll
2006-09-13 06:02 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Programme\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Programme\\Synaptics\\SynTP\\SynTPEnh.exe"
"TPKMAPHELPER"="C:\\Programme\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TpShocks"="TpShocks.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"SoundMAXPnP"="C:\\Programme\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="C:\\Programme\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"ATICCC"="\"C:\\Programme\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"snp2std"="C:\\WINDOWS\\vsnp2std.exe"
"LPManager"="C:\\PROGRA~1\\THINKV~2\\PrdCtr\\LPMGR.exe"
"AMSG"="C:\\PROGRA~1\\THINKV~2\\AMSG\\Amsg.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="c:\\PROGRA~1\\GEMEIN~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"c:\\Programme\\Gemeinsame Dateien\\InstallShield\\UpdateService\\issch.exe\" -start"
"AwaySch"="C:\\Programme\\Lenovo\\AwayTask\\AwaySch.EXE"
"cssauth"="\"C:\\Programme\\IBM ThinkVantage\\Client Security Solution\\cssauth.exe\" silent"
"PDService.exe"="\"C:\\Programme\\IBM ThinkVantage\\SafeGuard PrivateDisk\\pdservice.exe\""
"DiskeeperSystray"="\"C:\\Programme\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"ACTray"="C:\\Programme\\ThinkPad\\ConnectUtilities\\ACTray.exe"
"ACWLIcon"="C:\\Programme\\ThinkPad\\ConnectUtilities\\ACWLIcon.exe"
"PWRMGRTR"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"TVT Scheduler Proxy"="C:\\Programme\\Gemeinsame Dateien\\Lenovo\\Scheduler\\scheduler_proxy.exe"
"Zone Labs Client"="\"E:\\Programme\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"E:\\Programme\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"TPKBDLED"="C:\\WINDOWS\\system32\\TpScrLk.exe"
"F-StopW"="E:\\Programme\\FSI\\F-Prot\\F-StopW.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\PMTask.job

Completion time: 06-12-07 2:03:53.90
C:\ComboFix.txt ... 06-12-07 02:03

--- END COMBOFIX LOG ---

11) A scan with F-Secure Blacklight Rootkit Eliminator which didn't find anything it seems

--- START F-SECURE BLACKLIGHT LOG---

12/07/06 02:13:51 [Info]: BlackLight Engine 1.0.47 initialized
12/07/06 02:13:51 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/07/06 02:13:52 [Note]: 7019 4
12/07/06 02:13:52 [Note]: 7005 0
12/07/06 02:13:54 [Note]: 7006 0
12/07/06 02:13:54 [Note]: 7011 3192
12/07/06 02:13:55 [Note]: 7026 0
12/07/06 02:13:55 [Note]: 7026 0
12/07/06 02:14:07 [Note]: FSRAW library version 1.7.1020
12/07/06 02:17:45 [Note]: 7007 0

--- END F-SECURE BLACKLIGHT LOG ---

12) A scan with McAfee AVERT Stinger

--- START McAfee AVERT Stinger LOG---

McAfee AVERT Stinger Version 2.6.0. built on Apr 5 2006
Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on Feb 2 2006.
Ready to scan for 55 viruses, trojans and variants.

Scan initiated on Thu Dec 07 02:34:13 2006

Number of clean files: 98884

--- END McAfee AVERT Stinger LOG---

13) A scan with HijackThis

--- START HijackThis LOG ---

Logfile of HijackThis v1.99.1
Scan saved at 02:08:40, on 07.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Dokumente und Einstellungen\Jimbo\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\system32\safeie.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~2\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Programme\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Programme\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Programme\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Programme\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [F-StopW] E:\Programme\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &Download all by WellGet - E:\Programme\WellGet\nxall.htm
O8 - Extra context menu item: Download by &WellGet - E:\Programme\WellGet\nxcatch.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - E:\Programme\WellGet\WellGet.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/de/de
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165312854087
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Programme\Lenovo\AwayTask\AwayNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - E:\Programme\FSI\F-Prot\fpavupdm.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\programme\lenovo\system update\suservice.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Programme\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Programme\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--- END HijackThis LOG ---

So is there anything left over on my system or did I manage to get it clean.
kevlar21

BC AdBot (Login to Remove)

 


m

#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:52 PM

Posted 07 December 2006 - 06:23 AM

Hi kevlar21, :huh:

Wow, you're not one of a lazy type, that's for sure. :flowers:

I will go through all the information you produced so need some time. In the meantime please post a fresh HijackThis log in Normal mode since the one you posted is probably done in safe mode so doesn't show all that is there.

Thanks for your patience. :thumbsup:

#3 kevlar21

kevlar21
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 07 December 2006 - 08:20 AM

Hello Falu,

thank you in advance for taking the time to help me. :flowers:

Hi kevlar21, :huh:

Wow, you're not one of a lazy type, that's for sure. :thumbsup:


Well I thought every second I invest now in properly cleaning up my system will save me lots of nerves and time later on. Nothing is more annoying then a infected system.

And I read some of the other threads about similiar infections and thought "Hey, why not try it out on my
own. And then provide, right at the start, as much information as I can".

Here is the requested fresh HijackThis Log made in Normal mode.

--- START HijackThis LOG ---

Logfile of HijackThis v1.99.1
Scan saved at 13:58:56, on 07.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
c:\programme\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programme\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\vsnp2std.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~2\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\Lenovo\AwayTask\AwaySch.EXE
C:\Programme\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Programme\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
E:\Programme\ZoneAlarm\zlclient.exe
E:\Programme\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\TpScrLk.exe
E:\Programme\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Programme\ThinkPad\Bluetooth Software\BTTray.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
E:\Programme\Opera9.02\Opera.exe
C:\Dokumente und Einstellungen\Jimbo\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\system32\safeie.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~2\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Programme\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Programme\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Programme\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Programme\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [F-StopW] E:\Programme\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &Download all by WellGet - E:\Programme\WellGet\nxall.htm
O8 - Extra context menu item: Download by &WellGet - E:\Programme\WellGet\nxcatch.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - E:\Programme\WellGet\WellGet.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/de/de
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165312854087
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Programme\Lenovo\AwayTask\AwayNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - E:\Programme\FSI\F-Prot\fpavupdm.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\programme\lenovo\system update\suservice.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Programme\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Programme\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--- END HijackThis LOG ---

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:52 PM

Posted 09 December 2006 - 04:54 PM

Hi kevlar21, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

I already performed a number of steps and now wanted to know if there is anything left to do


You did a lot and quite properly as it looks like.

1. HijackThis log looks okay, just a leftover from Norton Antivirus which was once on your machine, I assume.

2. Run HijackThis, click Scan and checkmark the following entries:

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Next do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky report along with a fresh HijackThis log.

#5 kevlar21

kevlar21
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 10 December 2006 - 06:41 AM

Hi Falu,

thanks for your reply and checking up my logs. :thumbsup:

Here are the requested logs:
I think they should be ok now. The HijackThis-log is basically the same, beside the removed item and some new entries for the AVG Antispyware and SuperAntiSpyware I installed in the meantime.

The Kasperskylog also seems clear. There are mainly locked files which all seem to be standard files to me.
There 5 infected/ 2 viruses found but 4 of them seem related to the SmitfraudFix-Tool I installed. One is a quarantine file from the HouseCall scanner.

I guess those found in the System Restore also belong to SmitFraudFix but nevertheless I will clean out the System Restore Files and make a new clean restore point as descriped here e.g by D-Trojanator

Thanks again for your help. It's really appreciated.

--- START HijackThis LOG ---
Logfile of HijackThis v1.99.1
Scan saved at 10:38:29, on 10.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\programme\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programme\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~2\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programme\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\Lenovo\AwayTask\AwaySch.EXE
C:\Programme\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Programme\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
E:\Programme\ZoneAlarm\zlclient.exe
E:\Programme\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\TpScrLk.exe
E:\Programme\FSI\F-Prot\F-StopW.EXE
E:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Programme\ThinkPad\Bluetooth Software\BTTray.exe
E:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Dokumente und Einstellungen\Jimbo\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\system32\safeie.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~2\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Programme\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Programme\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Programme\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Programme\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [F-StopW] E:\Programme\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &Download all by WellGet - E:\Programme\WellGet\nxall.htm
O8 - Extra context menu item: Download by &WellGet - E:\Programme\WellGet\nxcatch.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - E:\Programme\WellGet\WellGet.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\\PkgMgr.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/de/de
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165312854087
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - E:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Programme\Lenovo\AwayTask\AwayNotify.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - E:\Programme\FSI\F-Prot\fpavupdm.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\programme\lenovo\system update\suservice.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Programme\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Programme\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--- END HijackThis LOG ---

--- START KASPERSKY LOG ---
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 10, 2006 12:06:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/12/2006
Kaspersky Anti-Virus database records: 253713
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 75694
Number of viruses found: 2
Number of infected objects: 5 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:55:39

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lenovo\messages\logs\lf000.log Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Noride\.housecall6.6\Quarantine\opr00GYL.htm.bac_a03136 Infected: Exploit.HTML.IframeBof skipped
C:\Dokumente und Einstellungen\Noride\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Noride\Desktop\Malware Tools\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Dokumente und Einstellungen\Noride\Desktop\Malware Tools\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Dokumente und Einstellungen\Noride\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Noride\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Noride\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Noride\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Noride\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\Noride\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{017226FB-C5FE-4999-80EB-E41B3BDA380B}\RP1\A0000069.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{017226FB-C5FE-4999-80EB-E41B3BDA380B}\RP1\A0000081.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{017226FB-C5FE-4999-80EB-E41B3BDA380B}\RP14\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\AMCOMPUTER.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_160.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT01051.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07d4b.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

--- END KASPERSKY LOG ---

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:52 PM

Posted 11 December 2006 - 04:21 AM

HI kevlar21, :flowers:

thanks for your reply and checking up my logs


You're very welcome!

1. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

2. You've downloaded a lot of programmes which you better remove since they're updated very regurlarly; almost daily.

In fact you're almost ready to go.

3. Remove previous restore points and set a new one to purge any malware that may have been backed up:

Click Start>Help and Support>Undo changes to your computer with System Restore
Click Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

This will remove all previous restore points except the newly created one.

4. In order to prevent future infections follow these recommendations:

a. Visit Windows Update on a regular basis to stay current with critical updates.

b. Install and run the following free programs:

* Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here!

* Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found
here! Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly.
If you do not update regularly they will not be able to catch any of the new variants that may come out.

c. I recommend you to read Tony Klein's excellent article: So how did I get infected in the first place?

d. If you want to fight back the Malware Writers, please take a look here!

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BleepingComputer Forums, we also help people with other computer problems! Do not forget to tell your friends about us!

Good luck! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users