Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I must have picked up a virus or some such.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I must have picked up a virus or some such.

Unread postby sloans » August 15th, 2008, 1:25 pm

When I turn my computer on I get an acrobat 7.0 screen showing some startup files, IE opens without its favorites and tabs on the explorer bar. When closing IE there is a ctf.mon screen that appears. Here's my log and I'm hoping someone will be good enough to have a look. Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:12 AM, on 8/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/welcome/3000notebook
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8694506906
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: __c00EAF9C - C:\WINDOWS\system32\__c00EAF9C.dat
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 7468 bytes
sloans
Active Member
 
Posts: 12
Joined: August 15th, 2008, 1:04 pm
Advertisement
Register to Remove

Re: I must have picked up a virus or some such.

Unread postby Shaba » August 17th, 2008, 4:52 am

Hi sloans

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I must have picked up a virus or some such.

Unread postby sloans » August 17th, 2008, 4:58 pm

Thanks so much for getting back to me on this. I've been driving all weekend and haven't been able to respond until now. Since my first post, Avast free virus software found 2 trojan viruses and I've put its vault. The computer is still running a little strangely, though. I'm prepared to proceed with the Combofix with your go-ahead but wanted you to know what changes I've made in case it affected your advice. Thanks again.-Sloans
sloans
Active Member
 
Posts: 12
Joined: August 15th, 2008, 1:04 pm

Here's my updated combofix log and hijackthis log

Unread postby sloans » August 17th, 2008, 10:03 pm

ComboFix 08-08-17.03 - Paul 2008-08-17 19:34:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.253 [GMT -6:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Paul\Application Data\macromedia\Flash Player\#SharedObjects\URHW8NXP\interclick.com
C:\Documents and Settings\Paul\Application Data\macromedia\Flash Player\#SharedObjects\URHW8NXP\interclick.com\ud.sol
C:\Documents and Settings\Paul\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Paul\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Paul\Cookies\paul@ads.revsci[1].txt
C:\Documents and Settings\Paul\UserData
C:\Documents and Settings\Paul\UserData\index.dat
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\__c00EAF9C.dat
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-15 23:05 . 2008-08-15 23:05 1,160 --a------ C:\WINDOWS\mozver.dat
2008-08-15 22:52 . 2008-08-16 00:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-15 22:26 . 2008-08-15 22:26 <DIR> d-------- C:\Documents and Settings\Paul\DoctorWeb
2008-08-15 14:21 . 2008-08-15 14:21 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-15 14:03 . 2008-08-15 14:23 <DIR> d-------- C:\Program Files\NOS
2008-08-15 14:03 . 2008-08-15 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-08-15 09:55 . 2008-08-15 09:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 22:12 . 2006-11-25 18:58 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2\Application Data\ThinkVantage
2008-08-14 22:12 . 2006-11-25 18:40 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2\Application Data\Symantec
2008-08-14 22:12 . 2007-01-05 15:45 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2\Application Data\Lenovo
2008-08-14 22:12 . 2008-08-14 22:12 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2
2008-08-14 22:01 . 2008-08-14 22:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-14 21:25 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-08-14 07:54 . 2008-08-14 07:54 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-14 07:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-14 07:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-14 00:59 . 2008-08-14 00:59 0 --a------ C:\23990098.$$$
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-08-14 00:36 . 2008-08-14 00:52 50 --a------ C:\WINDOWS\Lic.xxx
2008-08-14 00:35 . 2008-04-13 18:12 146,432 --a------ C:\WINDOWS\R.COM
2008-08-14 00:35 . 2008-04-13 18:12 135,680 --a------ C:\WINDOWS\system32\T.COM
2008-08-12 13:33 . 2008-05-01 08:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 13:27 . 2008-04-11 13:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 00:19 . 2008-08-12 00:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-12 00:19 . 2008-08-12 00:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-10 21:54 . 2008-04-13 18:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-10 21:54 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-10 21:54 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-10 21:54 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-01 22:57 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-01 22:50 . 2008-08-01 22:50 <DIR> d-------- C:\WINDOWS\EHome
2008-08-01 22:02 . 2008-04-13 18:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-08-01 22:01 . 2008-04-13 18:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 20:20 --------- d-----w C:\Program Files\Common Files\Adobe



Now here's the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:31 PM, on 8/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashAvast.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/welcome/3000notebook
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8694506906
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 7345 bytes
sloans
Active Member
 
Posts: 12
Joined: August 15th, 2008, 1:04 pm

Re: I must have picked up a virus or some such.

Unread postby Shaba » August 18th, 2008, 4:07 am

Combofix log cuts off.

Please re-send it :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I must have picked up a virus or some such.

Unread postby sloans » August 18th, 2008, 11:11 am

Sorry, resending Compufix report.

ComboFix 08-08-17.03 - Paul 2008-08-18 9:01:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.227 [GMT -6:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Paul\Cookies\paul@ads.revsci[1].txt
C:\Documents and Settings\Paul\UserData
C:\Documents and Settings\Paul\UserData\index.dat
C:\Documents and Settings\Paul\UserData\W86MQHT1\www[1].xml

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-15 23:05 . 2008-08-15 23:05 1,160 --a------ C:\WINDOWS\mozver.dat
2008-08-15 22:52 . 2008-08-16 00:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-15 22:26 . 2008-08-15 22:26 <DIR> d-------- C:\Documents and Settings\Paul\DoctorWeb
2008-08-15 14:21 . 2008-08-15 14:21 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-15 14:03 . 2008-08-15 14:23 <DIR> d-------- C:\Program Files\NOS
2008-08-15 14:03 . 2008-08-15 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-08-15 09:55 . 2008-08-15 09:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 22:12 . 2006-11-25 18:58 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2\Application Data\ThinkVantage
2008-08-14 22:12 . 2006-11-25 18:40 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2\Application Data\Symantec
2008-08-14 22:12 . 2007-01-05 15:45 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2\Application Data\Lenovo
2008-08-14 22:12 . 2008-08-14 22:12 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2
2008-08-14 22:01 . 2008-08-14 22:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-14 21:25 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-08-14 07:54 . 2008-08-14 07:54 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-14 07:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-14 07:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-14 00:59 . 2008-08-14 00:59 0 --a------ C:\23990098.$$$
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-08-14 00:52 . 2008-08-14 00:52 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-08-14 00:36 . 2008-08-14 00:52 50 --a------ C:\WINDOWS\Lic.xxx
2008-08-14 00:35 . 2008-04-13 18:12 146,432 --a------ C:\WINDOWS\R.COM
2008-08-14 00:35 . 2008-04-13 18:12 135,680 --a------ C:\WINDOWS\system32\T.COM
2008-08-12 13:33 . 2008-05-01 08:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 13:27 . 2008-04-11 13:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 00:19 . 2008-08-12 00:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-12 00:19 . 2008-08-12 00:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-10 21:54 . 2008-04-13 18:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-10 21:54 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-10 21:54 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-10 21:54 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-01 22:57 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-01 22:50 . 2008-08-01 22:50 <DIR> d-------- C:\WINDOWS\EHome
2008-08-01 22:02 . 2008-04-13 18:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-08-01 22:01 . 2008-04-13 18:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 20:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-15 04:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-15 03:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-15 00:58 --------- d-----w C:\Documents and Settings\Paul\Application Data\Lavasoft
2008-08-15 00:50 --------- d-----w C:\Program Files\PCDR5
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-17_19.40.16.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-18 15:04:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_284.dat
+ 2008-08-18 15:04:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-10 16:28:38 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-10-05 21:53 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-01-11 00:05 13824 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
--------- 2005-11-22 05:36 507904 C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-01-25 03:45 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--------- 2006-06-25 07:19 1273856 C:\WINDOWS\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
--------- 2006-07-14 20:13 2341632 C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
--------- 2006-05-18 18:24 196696 C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--------- 2006-03-22 22:13 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--------- 2006-03-22 22:17 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--------- 2006-03-22 22:17 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-08-09 08:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--------- 2005-06-10 12:44 81920 C:\Program Files\Common Files\Installshield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--------- 2006-10-30 11:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
--------- 2006-07-03 10:11 110592 C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-r------- 2006-01-30 10:00 98304 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--------- 2006-03-15 17:07 421888 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMHandler]
--------- 2006-08-22 01:54 33128 C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-10-19 20:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--------- 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--------- 2007-08-14 21:34 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--------- 2006-05-18 23:51 774233 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--------- 2006-05-07 19:34 94208 C:\Program Files\Lenovo\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPWAUDAP]
--------- 2006-04-19 16:29 24576 C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--------- 2006-07-14 20:05 503808 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--------- 2006-08-30 01:40 89542 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--------- 2005-05-03 03:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--------- 2006-07-21 01:56 16261632 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--------- 2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 11:27]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 08:35]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 02:33]
R1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys [2006-05-24 13:48]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 08:37]
R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2006-07-14 17:55]
.
Contents of the 'Scheduled Tasks' folder

2008-05-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-18 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-06-25 12:08]

2008-08-14 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-06-25 12:08]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\s01ajjuu.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 09:05:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
Completion time: 2008-08-18 9:08:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-18 15:08:03
ComboFix2.txt 2008-08-18 01:40:40

Pre-Run: 9,287,843,840 bytes free
Post-Run: 9,278,271,488 bytes free

209 --- E O F --- 2008-08-14 13:54:45
sloans
Active Member
 
Posts: 12
Joined: August 15th, 2008, 1:04 pm

Re: I must have picked up a virus or some such.

Unread postby Shaba » August 18th, 2008, 11:22 am

Looks that there might be a file infector.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I must have picked up a virus or some such.

Unread postby sloans » August 18th, 2008, 2:20 pm

Here's the Dr.Webcureit file that came out as a .csv. If you can't read it I'll see if I can change the format to .txt or whatever:

ComboFix.exe\327882R2FWJFW\List-C.bat;C:\Documents and Settings\Paul\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Paul\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Paul\Desktop;Archive contains infected objects;Moved.;
pv.exe;C:\Program Files\Hewlett-Packard\OrderReminder\uninstall;Program.PrcView.3741;Moved.;
TSsetup.exe\data002;C:\SWTOOLS\APPS\AOL\CA\comps\tpspd\TSsetup.exe;Probably DLOADER.Trojan;;
TSsetup.exe;C:\SWTOOLS\APPS\AOL\CA\comps\tpspd;Archive contains infected objects;Moved.;
AOLCINST.EXE\core.cab\GTDOWNAO_106.ocx;C:\SWTOOLS\APPS\AOL\US\COMPS\COACH\AOLCINST.EXE;Adware.Gdown;;
AOLCINST.EXE;C:\SWTOOLS\APPS\AOL\US\COMPS\COACH;Archive contains infected objects;Moved.;
stream001\uninstll.exe;C:\SWTOOLS\APPS\Earthlink\EarthLink Setup.exe\\Windows\access\EarthLink Setup.msi\stream001;Probably STPAGE.Trojan;;
stream001;C:\SWTOOLS\APPS\Earthlink\EarthLink Setup.exe\\Windows\access\EarthLink Setup.msi;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\SWTOOLS\APPS\Earthlink\EarthLink Setup.exe\\Windows\access;Archive contains infected objects;;
EarthLink Setup.exe;C:\SWTOOLS\APPS\Earthlink;Archive contains infected objects;Moved.;
A0000051.bat;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2;Probably BATCH.Virus;Moved.;
A0000077.bat;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2;Probably BATCH.Virus;Moved.;
A0000095.EXE;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2;Program.PsExec.170;Moved.;
A0000146.bat;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2;Probably BATCH.Virus;Moved.;
A0000164.EXE;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2;Program.PsExec.170;Moved.;
A0000205.exe\327882R2FWJFW\List-C.bat;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2\A0000205.exe;Probably BATCH.Virus;;
A0000205.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2\A0000205.exe;Program.PsExec.171;;
A0000205.exe;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2;Archive contains infected objects;Moved.;
A0000206.exe\data002;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2\A0000206.exe;Probably DLOADER.Trojan;;
A0000206.exe;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2;Archive contains infected objects;Moved.;
A0000207.EXE\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2\A0000207.EXE;Adware.Gdown;;
A0000207.EXE;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2;Archive contains infected objects;Moved.;
stream001\uninstll.exe;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2\A0000208.exe\\Windows\access\EarthLink Setup.ms;Probably STPAGE.Trojan;;
stream001;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2\A0000208.exe\\Windows\access\EarthLink Setup.ms;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2\A0000208.exe\\Windows\access;Archive contains infected objects;;
A0000208.exe;C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP2;Archive contains infected objects;Moved.;
sloans
Active Member
 
Posts: 12
Joined: August 15th, 2008, 1:04 pm

Re: I must have picked up a virus or some such.

Unread postby Shaba » August 18th, 2008, 2:45 pm

That is fine :)

You can move these back from quarantine to original folders:

ComboFix.exe;C:\Documents and Settings\Paul\Desktop;Archive contains infected objects;Moved.;
pv.exe;C:\Program Files\Hewlett-Packard\OrderReminder\uninstall;Program.PrcView.3741;Moved.;
TSsetup.exe\data002;C:\SWTOOLS\APPS\AOL\CA\comps\tpspd\TSsetup.exe;Probably DLOADER.Trojan;;
TSsetup.exe;C:\SWTOOLS\APPS\AOL\CA\comps\tpspd;Archive contains infected objects;Moved.;
AOLCINST.EXE\core.cab\GTDOWNAO_106.ocx;C:\SWTOOLS\APPS\AOL\US\COMPS\COACH\AOLCINST.EXE;Adware.Gdown;;
AOLCINST.EXE;C:\SWTOOLS\APPS\AOL\US\COMPS\COACH;Archive contains infected objects;Moved.;
stream001\uninstll.exe;C:\SWTOOLS\APPS\Earthlink\EarthLink Setup.exe\\Windows\access\EarthLink Setup.msi\stream001;Probably STPAGE.Trojan;;
stream001;C:\SWTOOLS\APPS\Earthlink\EarthLink Setup.exe\\Windows\access\EarthLink Setup.msi;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\SWTOOLS\APPS\Earthlink\EarthLink Setup.exe\\Windows\access;Archive contains infected objects;;
EarthLink Setup.exe;C:\SWTOOLS\APPS\Earthlink;Archive contains infected objects;Moved.;

After that:

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\Lic.xxx
C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM

Folder::
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I must have picked up a virus or some such.

Unread postby sloans » August 18th, 2008, 3:29 pm

I can't find anywhere on the Dr. Web interface for returning the moved files back from whence they came and I can't get to combofix without extracting the combofix.exe files back from DrWeb. So I'm trying to run the complete DrWeb scan again to see if there's an opportunity to move those files back. Was I supposed to download the full version of DrWeb? Thanks:(
sloans
Active Member
 
Posts: 12
Joined: August 15th, 2008, 1:04 pm

Re: I must have picked up a virus or some such.

Unread postby sloans » August 18th, 2008, 5:49 pm

I never did figure out how to restore the moved files in DrWeb, so I downloaded Compufix again and dragged the file you specified into it. Here's the log from that followed by the new Hijackthis log:

ComboFix 08-08-18.01 - Paul 2008-08-18 15:35:30.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.285 [GMT -6:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Paul\My Documents\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Lic.xxx
C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Paul\Cookies\paul@ads.revsci[1].txt
C:\Documents and Settings\Paul\UserData
C:\Documents and Settings\Paul\UserData\index.dat
C:\WINDOWS\Lic.xxx
C:\WINDOWS\logo1_.exe
C:\WINDOWS\R.COM
C:\WINDOWS\rundl132.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\system32\T.COM
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\zts2.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-15 23:05 . 2008-08-15 23:05 1,160 --a------ C:\WINDOWS\mozver.dat
2008-08-15 22:52 . 2008-08-16 00:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-15 22:26 . 2008-08-18 10:20 <DIR> d-------- C:\Documents and Settings\Paul\DoctorWeb
2008-08-15 14:21 . 2008-08-15 14:21 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-15 14:03 . 2008-08-15 14:23 <DIR> d-------- C:\Program Files\NOS
2008-08-15 14:03 . 2008-08-15 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-08-15 09:55 . 2008-08-15 09:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 22:12 . 2006-11-25 18:58 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2\Application Data\ThinkVantage
2008-08-14 22:12 . 2006-11-25 18:40 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2\Application Data\Symantec
2008-08-14 22:12 . 2007-01-05 15:45 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2\Application Data\Lenovo
2008-08-14 22:12 . 2008-08-14 22:12 <DIR> d-------- C:\Documents and Settings\Administrator.LAPTOP2
2008-08-14 22:01 . 2008-08-14 22:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-14 21:25 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-08-14 07:54 . 2008-08-14 07:54 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-14 07:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-14 07:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-14 00:59 . 2008-08-14 00:59 0 --a------ C:\23990098.$$$
2008-08-12 13:33 . 2008-05-01 08:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 13:27 . 2008-04-11 13:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 00:19 . 2008-08-12 00:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-12 00:19 . 2008-08-12 00:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-10 21:54 . 2008-04-13 18:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-10 21:54 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-10 21:54 . 2008-04-13 12:45 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-10 21:54 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-01 23:00 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-01 22:57 . 2008-08-01 23:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-01 22:50 . 2008-08-01 22:50 <DIR> d-------- C:\WINDOWS\EHome
2008-08-01 22:02 . 2008-04-13 18:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-08-01 22:01 . 2008-04-13 18:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 00:35 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
2008-08-15 20:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-15 04:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-15 03:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-15 00:58 --------- d-----w C:\Documents and Settings\Paul\Application Data\Lavasoft
2008-08-15 00:50 --------- d-----w C:\Program Files\PCDR5
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-06 01:03 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-24 16:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((( snapshot@2008-08-17_19.40.16.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-18 01:37:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_288.dat
+ 2008-08-18 15:44:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_288.dat
+ 2008-08-18 18:07:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 18:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-10 16:28:38 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-10-05 21:53 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-01-11 00:05 13824 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
--------- 2005-11-22 05:36 507904 C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-01-25 03:45 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--------- 2006-06-25 07:19 1273856 C:\WINDOWS\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
--------- 2006-07-14 20:13 2341632 C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
--------- 2006-05-18 18:24 196696 C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--------- 2006-03-22 22:13 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--------- 2006-03-22 22:17 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--------- 2006-03-22 22:17 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-08-09 08:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--------- 2005-06-10 12:44 81920 C:\Program Files\Common Files\Installshield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--------- 2006-10-30 11:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
--------- 2006-07-03 10:11 110592 C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-r------- 2006-01-30 10:00 98304 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--------- 2006-03-15 17:07 421888 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMHandler]
--------- 2006-08-22 01:54 33128 C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-10-19 20:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--------- 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--------- 2007-08-14 21:34 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--------- 2006-05-18 23:51 774233 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--------- 2006-05-07 19:34 94208 C:\Program Files\Lenovo\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPWAUDAP]
--------- 2006-04-19 16:29 24576 C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
--------- 2006-07-14 20:05 503808 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--------- 2006-08-30 01:40 89542 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--------- 2005-05-03 03:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--------- 2006-07-21 01:56 16261632 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--------- 2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 11:27]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 08:35]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 02:33]
R1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys [2006-05-24 13:48]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 08:37]
R2 smi2;smi2;C:\Program Files\SMI2\smi2.sys [2006-07-14 17:55]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-05-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-18 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-06-25 12:08]

2008-08-14 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-06-25 12:08]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 15:37:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-08-18 15:38:29
ComboFix-quarantined-files.txt 2008-08-18 21:38:15
ComboFix2.txt 2008-08-18 15:08:08
ComboFix3.txt 2008-08-18 01:40:40

Pre-Run: 9,158,148,096 bytes free
Post-Run: 9,173,000,192 bytes free

230 --- E O F --- 2008-08-14 13:54:45



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:48 PM, on 8/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/welcome/3000notebook
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/3000notebook
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8694506906
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.com/activeX/wlaninfo.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 7252 bytes
sloans
Active Member
 
Posts: 12
Joined: August 15th, 2008, 1:04 pm

Re: I must have picked up a virus or some such.

Unread postby Shaba » August 19th, 2008, 1:25 am

Like said in my instructions:

"This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can't be cured. (this in case if we need samples)"

So you can move them back from that folder :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I must have picked up a virus or some such.

Unread postby sloans » August 19th, 2008, 6:53 pm

I hope you don't lose your patience with me. I have located these files but I'm not really certain how to return them to their original locations other than to cut and paste them back using "My Computer". I don't have any use for earthlink or AOL and I've reloaded Combofix, so do I really need to paste them back or can we proceed from here? Thanks again for your time and patience.-Sloans
sloans
Active Member
 
Posts: 12
Joined: August 15th, 2008, 1:04 pm

Re: I must have picked up a virus or some such.

Unread postby sloans » August 19th, 2008, 9:24 pm

I have cut and pasted some of the files you mentioned out of quarantine and back into their respective places. Some with numbers I simply can't identify so the process is incomplete. Can you help me from here or should I start over? Thanks
sloans
Active Member
 
Posts: 12
Joined: August 15th, 2008, 1:04 pm

Re: I must have picked up a virus or some such.

Unread postby Shaba » August 20th, 2008, 3:46 am

If you don't need those files, they that is fine :)

We will then continue with this:

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 60 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware