Jump to content

Reappearing Trojan


Recommended Posts

Hi,

I seem to have a reappearing trojan. I have tried to remove it with Spybot and then Anti-Malware. Anti-Malware will find and remove the offending entries but they seem to reappear after a restart. Any help greatly appreciated!

The Anti-Malware log follows:

Malwarebytes' Anti-Malware 1.33

Database version: 1668

Windows 5.1.2600 Service Pack 3

21/01/2009 9:30:26 AM

mbam-log-2009-01-21 (09-30-26).txt

Scan type: Quick Scan

Objects scanned: 60070

Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

The Hijack This log follows:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:03:59 AM, on 21/01/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\MagicRotation\MagicPvt.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\CNAB5RPK.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Canon\DIAS\CnxDIAS.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Lenovo\System Update\SUService.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACMainGUI.exe

C:\WINDOWS\system32\1XConfig.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mab.exe

C:\Program Files\IBM\Access IBM\aibm.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vicbar.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [uC_Start] C:\IBMTools\Updater\ucstartup.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [MagicRotation] C:\Program Files\MagicRotation\MagicPvt.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\RunOnce: [spybotDeletingC4020] cmd.exe /c del "C:\WINDOWS\system32\TDSSsihc.log"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk.disabled

O4 - Global Startup: Color Calibration.lnk.disabled

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: WinZip Quick Pick.lnk.disabled

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [JAVA_IBM] Java (IBM)

O15 - Trusted IP range: 152.91.0.2

O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/a...ntent/AcpIR.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab

O16 - DPF: {FDE14979-D821-4CD8-BE1C-9D6AF01D097F} (VMTOCCtrl Class) - http://www.justice.vic.gov.au/emanuals/VSM/vm.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--

End of file - 14532 bytes

Link to post
Share on other sites

  • Root Admin

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member
Chris Young only

. If you are a lurker, do NOT try this on your system!

If you are not
Chris Young
and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

STEP01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP02

    Download and install
    CCleaner
  • CCleaner

  • Double-click on the downloaded file "ccsetup215.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and under SYSTEM uncheck the Memory Dumps and Windows Log Files

  • Click on
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts

STEP03

Disable your AntiVirus and AntiSpyware

applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

This should apply to AVG8:

To
disable the Resident Shield
, please:

open AVG User Interface

double-click on the Resident Shield

un-tick the option Resident Shield active

save the changes.

STEP04

Please download and run the following file to repair file and registry permissions

STEP05

  • Download
    FixPolicies.exe
    by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.

  • Click on Install. It will create a folder named FixPolicies on your desktop.

  • Open the FixPolicies folder.

  • Double click on
    Fix_policies.cmd
    to run it. Command Prompt will open and close quickly this is normal.

  • Reboot your computer after it runs

  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

  • Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP06

Download this INF repair file by MS-MVP Miekiemoes:
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder
VArestorepolicies
and
Right-click
the file inside,
VArestorepolicies.INF
and choose
Install

STEP07

icon_arrow.gif

If you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware
    applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.

  • If and only if you are prompted to download a new version of Combofix, reply NO .

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF

you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the
C:\ComboFix.txt
in your next reply.

-------------------------------------------------------

A caution -
Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

STEP08

IF

and only
IF
the Combofix has worked without exceptions, only then, do the following. IF it has exceptions, then please provide all details and put that in a reply pronto, and STOP, and await my reply.

Only if Combofix has a good finish:

I'm going to have you get and run a special tool. It will hopefully take out most remains of this beast. Keep in mind that not all files I list here will be found on your system; so do not be alarmed. This is a general-type list of typical infectors.

Download
The Avenger
by Swandog46 from
here
.
  • Unzip/extract it to a folder on your desktop.
  • Double click on
    avenger.exe
    to run
    The Avenger
    .

  • Click
    OK
    .

  • Make sure that the box next to
    Scan for rootkits
    has a tick in it and that the box next to
    Automatically disable any rootkits found
    does
    not
    have a tick in it.

  • Copy
    all
    of the text in the below textbox to the clibpboard by highlighting it and then pressing
    Ctrl+C
    .

    Files to delete:

    C:\WINDOWS\system32\brsvc01a.exe

    C:\WINDOWS\system32\brss01a.exe

    C:\WINDOWS\SYSTEM32\TDSSixgp.dll

    C:\WINDOWS\SYSTEM32\TDSSproc.log

    C:\WINDOWS\SYSTEM32\TDSSwkod.log

    C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp

    c:\windows\system32\drivers\msqpdxserv.sys

    C:\resycled

    D:\resycled

    e:\resycled

    f:\resycled

    g:\resycled

    c:\windows\system32\TDSSweat.dat

    C:\WINDOWS\system32\drivers\TDSSmqlt.sys

    C:\windows\system32\drivers\tdssserv.sys

    C:\WINDOWS\system32\drivers\TDSSmact.sys

    C:\WINDOWS\system32\TDSSfpmp.dll

    C:\WINDOWS\system32\TDSSwpyd.dat

    C:\WINDOWS\system32\TDSStkdv.log

    C:\WINDOWS\system32\TDSSotxb.dll

    C:\WINDOWS\system32\TDSScrrn.dll

    C:\WINDOWS\system32\TDSSbvqh.dll

    C:\WINDOWS\system32\TDSSjnmx.dll

    c:\windows\system32\TDSShrxr.dll

    c:\windows\system32\TDSSkkbi.log

    c:\windows\system32\TDSSlrvd.dat

    c:\windows\system32\TDSSlxwp.dll

    c:\windows\system32\TDSSnmxh.log

    c:\windows\system32\TDSSoiqt.dll

    c:\windows\system32\TDSSrhyp.log

    c:\windows\system32\TDSSrtqp.dll

    c:\windows\system32\TDSSsihc.dll

    c:\windows\system32\TDSSxfum.dll

    c:\windows\system32\TDSSmtve.dat

    c:\windows\system32\TDSSnirj.dat


    Drivers to delete:

    tdss

    tdssserv

    TDSSserv.SYS

    Service_TDSSSERV.SYS

    Legacy_TDSSSERV.SYS

    msqpdxserv.sys

    msqpdxserv


    Registry keys to delete:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

    HKEY_LOCAL_MACHINE\SOFTWARE\tdss

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV


  • In the avenger window, click the
    Paste Script from Clipboard
    icon,
    pastets4.png
    button.

  • :!:
    Make sure that what appears in Avenger
    matches exactly
    what you were asked to Copy/Paste from the Code box above.

  • Click the
    Execute
    button.

  • You will be asked
    Are you sure you want to execute the current script?
    .

  • Click
    Yes
    .

  • You will now be asked
    First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
    .

  • Click
    Yes
    .

  • Your PC will now be rebooted.

  • Note:
    If the above script contains Drivers to delete: or Drivers to disable:, then
    The Avenger
    will require two reboots to complete its operation.

  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.

  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of
    c:\avenger.txt
    into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

STEP09

Download DDS and save it to your desktop from one of these 3 locations

1
http://www.techsupportforum.com/sectools/sUBs/dds

2
http://download.bleepingcomputer.com/sUBs/dds.scr

3
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click
dds.scr
to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]
    Save both reports to your desktop.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

Please then reply with a copy of
C:\Combofix.txt
,
C:\Avenger.txt
, and a new
HijackThis

RE-Enable your AntiVirus and AntiSpyware

applications.
Link to post
Share on other sites

Many thanks for your prompt and helpful response!

I have completed through to the end of Step 7 - ie I have run ComboFix and now provide further information.

I did receive the "presence of rootkit activity" message from ComboFix. The files listed were:

C:\WINDOWS\systems32\drivers\TDSSpqlt.sys

C:\WINDOWS\systems32\TDSSoiqt.dll

C:\WINDOWS\systems32\TDSSmhct.dat

C:\WINDOWS\systems32\TDSSoiqh.dll

C:\WINDOWS\systems32\TDSSorvd.dll

C:\WINDOWS\systems32\TDSShrsr.dll

C:\WINDOWS\systems32\TDSSriqp.dll

C:\WINDOWS\systems32\TDSSsihc.log

C:\WINDOWS\systems32\TDSSxfum.log

C:\WINDOWS\systems32\TDSSlxwp.dll

C:\WINDOWS\systems32\TDSSnmxh.log

The ComboFix log follows:

ComboFix 09-01-20.05 - Chris Young 2009-01-22 10:19:42.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1504 [GMT 11:00]

Running from: c:\documents and settings\Chris Young\Desktop\Combo-Fix.exe

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\TDSSpqlt.sys

c:\windows\system32\setup.ini

c:\windows\system32\TDSShrsr.dll

c:\windows\system32\TDSSlxwp.dll

c:\windows\system32\TDSSmhct.dat

c:\windows\system32\TDSSnmxh.log

c:\windows\system32\TDSSoiqh.dll

c:\windows\system32\TDSSoiqt.dll

c:\windows\system32\TDSSorvd.dll

c:\windows\system32\TDSSriqp.dll

c:\windows\system32\TDSSsihc.log

c:\windows\system32\TDSSxfum.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_TDSSserv.sys

-------\Legacy_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))

.

2009-01-21 23:19 . 2009-01-21 23:19 <DIR> d-------- C:\swshare

2009-01-21 12:58 . 2009-01-22 10:27 32 --a------ c:\windows\system32\driver.dat

2009-01-21 10:03 . 2009-01-21 10:03 <DIR> d-------- c:\program files\Trend Micro

2009-01-20 21:50 . 2009-01-20 21:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-01-20 14:07 . 2009-01-20 14:07 <DIR> d-------- c:\documents and settings\Chris Young\Application Data\Malwarebytes

2009-01-20 13:42 . 2009-01-21 13:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-20 13:42 . 2009-01-20 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-20 13:42 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-20 13:42 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-19 17:12 . 2009-01-19 17:12 <DIR> d-------- c:\program files\Lavasoft

2009-01-19 17:12 . 2009-01-21 10:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-19 13:08 . 2009-01-19 13:07 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-05 22:25 . 2009-01-05 22:25 <DIR> d-------- c:\program files\Bonjour

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-21 12:05 --------- d-----w c:\program files\CCleaner

2009-01-21 01:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Corporation

2009-01-21 01:08 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-01-21 01:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-20 23:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-19 10:47 --------- d-----w c:\program files\DNTV Live!

2009-01-19 10:46 --------- d-----w c:\program files\Google

2009-01-19 10:44 --------- d-----w c:\program files\Yahoo!

2009-01-19 10:35 15,964 ----a-w c:\program files\hijackthis.log

2009-01-19 10:33 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip

2009-01-19 10:07 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-19 10:07 --------- d-----w c:\program files\Common Files\Real

2009-01-19 10:04 --------- d-----w c:\program files\Common Files\Apple

2009-01-19 02:07 --------- d-----w c:\program files\Java

2009-01-15 03:44 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-01 02:37 --------- d-----w c:\documents and settings\Chris Young\Application Data\AdobeUM

2008-12-01 02:22 --------- d-----w c:\program files\Common Files\Lenovo

2008-12-01 02:21 --------- d-----w c:\program files\Lenovo

2008-11-26 23:34 --------- d-----w c:\documents and settings\Chris Young\Application Data\InstallShield

2008-11-24 11:28 --------- d-----w c:\program files\QuickTime

2008-03-30 02:18 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2007-11-24 07:33 92,064 ----a-w c:\documents and settings\Chris Young\mqdmmdm.sys

2007-11-24 07:33 9,232 ----a-w c:\documents and settings\Chris Young\mqdmmdfl.sys

2007-11-24 07:33 79,328 ----a-w c:\documents and settings\Chris Young\mqdmserd.sys

2007-11-24 07:33 66,656 ----a-w c:\documents and settings\Chris Young\mqdmbus.sys

2007-11-24 07:33 6,208 ----a-w c:\documents and settings\Chris Young\mqdmcmnt.sys

2007-11-24 07:33 5,936 ----a-w c:\documents and settings\Chris Young\mqdmwhnt.sys

2007-11-24 07:33 4,048 ----a-w c:\documents and settings\Chris Young\mqdmcr.sys

2007-11-24 07:33 25,600 ----a-w c:\documents and settings\Chris Young\usbsermptxp.sys

2007-11-24 07:33 22,768 ----a-w c:\documents and settings\Chris Young\usbsermpt.sys

2005-04-04 02:50 9,392 -c--a-w c:\documents and settings\Chris Young\Application Data\ViewerApp.dat

2005-02-16 00:06 218,112 ----a-w c:\program files\HijackThis.exe

2008-10-07 23:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100820081009\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-02 67128]

"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]

"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]

"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2003-07-11 20480]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2003-09-03 897024]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-11-29 243248]

"UC_Start"="c:\ibmtools\Updater\ucstartup.exe" [2003-03-18 32768]

"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-07-11 94208]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 90182]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 139347]

"MagicRotation"="c:\program files\MagicRotation\MagicPvt.exe" [2005-12-26 1089536]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"S3TRAY2"="S3Tray2.exe" [2001-10-12 c:\windows\system32\S3Tray2.exe]

"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 c:\windows\system32\irprops.cpl]

"TpShocks"="TpShocks.exe" [2007-11-22 c:\windows\system32\TpShocks.exe]

"TP4EX"="tp4ex.exe" [2002-09-04 c:\windows\system32\TP4EX.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2003-06-28 c:\windows\AGRSMMSG.exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk.disabled [2004-06-10 1835]

Color Calibration.lnk.disabled [2007-02-03 1433]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-04-02 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-02-03 805392]

WinZip Quick Pick.lnk.disabled [2009-01-19 1671]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]

2008-03-14 19:54 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 00:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-11-30 21:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\IBMTOOLS\\Updater\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\WINDOWS\\system32\\CNAB5RPK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3756:UDP"= 3756:UDP:Canon CAPT Port

"9100:TCP"= 9100:TCP:192.168.129.20

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-04-11 11520]

R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-04-11 4224]

R1 magicpvt;magicpvt;c:\windows\system32\drivers\magicpvt.sys [2007-02-03 9728]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-05-30 15360]

R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-02-03 3712]

R4 NokiaSuite3;NokiaSuite3;c:\windows\system32\drivers\NokiaSuite3.sys [2004-08-07 837696]

S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.sys [?]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2006-05-11 472096]

S3 UDTT2BDA;DNTV Live! Tiny USB2 BDA;c:\windows\system32\drivers\UDTT2BDA.sys [2006-03-18 55040]

S3 UDTT2HID;DNTV Live! Tiny USB 2.0 HID RC Driver;c:\windows\system32\drivers\UDTT2HID.sys [2006-03-19 15872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158e7573-56b9-11dd-aaa0-000cf1354be0}]

\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158e7576-56b9-11dd-aaa0-000cf1354be0}]

\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1258851-5bb4-11dd-aaa9-000cf1354be0}]

\Shell\AutoRun\command - G:\AutoRun.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2007-12-07 c:\windows\Tasks\BMMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2003-07-11 19:34]

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.vicbar.com.au/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.iinet.net.au/

uInternet Settings,ProxyOverride = <local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab

DPF: {FDE14979-D821-4CD8-BE1C-9D6AF01D097F} - hxxp://www.justice.vic.gov.au/emanuals/VSM/vm.cab

FF - ProfilePath - c:\documents and settings\Chris Young\Application Data\Mozilla\Firefox\Profiles\default.feu\

FF - prefs.js: browser.startup.homepage - hxxp://www.vicbar.com.au/

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 10:30:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1376)

c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(1432)

c:\program files\ThinkPad\ConnectUtilities\ACGina.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACON.dll

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll

c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll

c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll

c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll

c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\S24EvMon.exe

c:\windows\system32\ati2evxx.exe

c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\CNAB5RPK.EXE

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Canon\DIAS\CnxDIAS.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\Network Associates\VirusScan\mcshield.exe

c:\program files\Network Associates\VirusScan\vstskmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\windows\system32\RegSrvc.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\windows\system32\TPHDEXLG.exe

c:\windows\system32\TpKmpSvc.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\windows\system32\searchindexer.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\windows\system32\fxssvc.exe

c:\program files\Lenovo\System Update\SUService.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

.

**************************************************************************

.

Completion time: 2009-01-22 10:38:34 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-21 23:38:30

Pre-Run: 3,936,612,352 bytes free

Post-Run: 3,888,721,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

278 --- E O F --- 2009-01-15 03:44:42

Should I now proceed on to Step 08?

Link to post
Share on other sites

  • Root Admin

Yes, please follow on and when that is all done please run this.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

OK, remainder of the steps now completed. The log files follow:

First, Avenger

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\brsvc01a.exe" not found!

Deletion of file "C:\WINDOWS\system32\brsvc01a.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\brss01a.exe" not found!

Deletion of file "C:\WINDOWS\system32\brss01a.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp"

Deletion of file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!

Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\resycled" not found!

Deletion of file "C:\resycled" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "D:\resycled"

Deletion of file "D:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "f:\resycled"

Deletion of file "f:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "g:\resycled"

Deletion of file "g:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "c:\windows\system32\TDSSweat.dat" not found!

Deletion of file "c:\windows\system32\TDSSweat.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!

Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!

Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!

Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSShrxr.dll" not found!

Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSkkbi.log" not found!

Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlrvd.dat" not found!

Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlxwp.dll" not found!

Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnmxh.log" not found!

Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSoiqt.dll" not found!

Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrhyp.log" not found!

Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrtqp.dll" not found!

Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSsihc.dll" not found!

Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSxfum.dll" not found!

Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSmtve.dat" not found!

Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnirj.dat" not found!

Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!

Deletion of driver "tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!

Deletion of driver "tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!

Deletion of driver "TDSSserv.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!

Deletion of driver "Service_TDSSSERV.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!

Deletion of driver "Legacy_TDSSSERV.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!

Deletion of driver "msqpdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!

Deletion of driver "msqpdxserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "e:\resycled" not found!

Deletion of file "e:\resycled" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Next, DDS.txt

DDS (Ver_09-01-07.01) - NTFSx86

Run by Chris Young at 18:35:32.55 on Thu 22/01/2009

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1537 [GMT 11:00]

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\MagicRotation\MagicPvt.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\CNAB5RPK.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Canon\DIAS\CnxDIAS.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Lenovo\System Update\SUService.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\system32\1XConfig.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Chris Young\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vicbar.com.au/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.iinet.net.au/

uInternet Settings,ProxyOverride = <local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe

mRun: [s3TRAY2] S3Tray2.exe

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

mRun: [TpShocks] TpShocks.exe

mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe

mRun: [bMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [TP4EX] tp4ex.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [uC_Start] c:\ibmtools\updater\ucstartup.exe

mRun: [bMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [shStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe"

mRun: [MagicRotation] c:\program files\magicrotation\MagicPvt.exe

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [AtiPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Acrobat Assistant.lnk.disabled

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Color Calibration.lnk.disabled

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\documents and settings\all users\start menu\programs\startup\WinZip Quick Pick.lnk.disabled

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: ACNotify - ACNotify.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

Notify: tpfnf2 - notifyf2.dll

Notify: tphotkey - tphklock.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrisy~1\applic~1\mozilla\firefox\profiles\default.feu\

FF - prefs.js: browser.startup.homepage - hxxp://www.vicbar.com.au/

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

P4 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2003-3-6 233595]

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-4-11 11520]

R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-4-11 4224]

R1 magicpvt;magicpvt;c:\windows\system32\drivers\magicpvt.sys [2007-2-3 9728]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-5-30 15360]

R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-3-6 84448]

R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-2-3 3712]

R4 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2004-9-29 106586]

R4 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2003-3-6 127050]

R4 NokiaSuite3;NokiaSuite3;c:\windows\system32\drivers\NokiaSuite3.sys [2004-8-7 837696]

S1 atitray;atitray;\??\c:\program files\radeon omega drivers\v3.8.252\ati tray tools\atitray.sys --> c:\program files\radeon omega drivers\v3.8.252\ati tray tools\atitray.sys [?]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2006-5-11 472096]

S3 UDTT2BDA;DNTV Live! Tiny USB2 BDA;c:\windows\system32\drivers\UDTT2BDA.sys [2006-3-18 55040]

S3 UDTT2HID;DNTV Live! Tiny USB 2.0 HID RC Driver;c:\windows\system32\drivers\UDTT2HID.sys [2006-3-19 15872]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-01-22 10:07 <DIR> a-dshr-- C:\cmdcons

2009-01-22 10:04 161,792 a------- c:\windows\SWREG.exe

2009-01-22 10:04 98,816 a------- c:\windows\sed.exe

2009-01-21 23:19 <DIR> --d----- C:\swshare

2009-01-21 12:58 32 a------- c:\windows\system32\driver.dat

2009-01-21 10:03 <DIR> --d----- c:\program files\Trend Micro

2009-01-20 14:07 <DIR> --d----- c:\docume~1\chrisy~1\applic~1\Malwarebytes

2009-01-20 13:42 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-01-20 13:42 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-20 13:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-01-20 13:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-01-19 17:12 <DIR> --d----- c:\program files\Lavasoft

2009-01-19 13:08 410,984 a------- c:\windows\system32\deploytk.dll

2009-01-05 22:25 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-01-19 21:35 15,964 a------- c:\program files\hijackthis.log

2008-12-13 17:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll

2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe

2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

2008-12-11 21:57 333,952 a------- c:\windows\system32\drivers\srv.sys

2008-12-11 21:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

2008-10-24 22:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys

2008-03-30 13:18 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

2007-11-24 18:33 79,328 a------- c:\documents and settings\chris young\mqdmserd.sys

2007-11-24 18:33 5,936 a------- c:\documents and settings\chris young\mqdmwhnt.sys

2007-11-24 18:33 92,064 a------- c:\documents and settings\chris young\mqdmmdm.sys

2007-11-24 18:33 66,656 a------- c:\documents and settings\chris young\mqdmbus.sys

2007-11-24 18:33 25,600 a------- c:\documents and settings\chris young\usbsermptxp.sys

2007-11-24 18:33 22,768 a------- c:\documents and settings\chris young\usbsermpt.sys

2007-11-24 18:33 9,232 a------- c:\documents and settings\chris young\mqdmmdfl.sys

2007-11-24 18:33 6,208 a------- c:\documents and settings\chris young\mqdmcmnt.sys

2007-11-24 18:33 4,048 a------- c:\documents and settings\chris young\mqdmcr.sys

2005-04-04 13:50 9,392 ac------ c:\docume~1\chrisy~1\applic~1\ViewerApp.dat

2005-02-16 11:06 218,112 a------- c:\program files\HijackThis.exe

2008-10-08 10:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100820081009\index.dat

============= FINISH: 18:36:39.74 ===============

Third, Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/06/2004 5:55:25 AM

System Uptime: 22/01/2009 6:10:41 PM (0 hours ago)

Motherboard: IBM | | 1830EM4

Processor: Intel® Pentium® M processor 1500MHz | None | 598/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 24 GiB total, 3.688 GiB free.

D: is CDROM ()

E: is FIXED (FAT32) - 0 GiB total, 0.301 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

==== System Restore Points ===================

RP1029: 17/12/2008 12:45:36 PM - System Checkpoint

RP1030: 18/12/2008 2:13:25 PM - System Checkpoint

RP1031: 18/12/2008 3:06:21 PM - Software Distribution Service 3.0

RP1032: 22/12/2008 3:01:39 PM - System Checkpoint

RP1033: 26/12/2008 10:01:36 AM - System Checkpoint

RP1034: 27/12/2008 10:45:34 AM - System Checkpoint

RP1035: 1/01/2009 10:13:39 AM - System Checkpoint

RP1036: 2/01/2009 9:26:41 PM - System Checkpoint

RP1037: 5/01/2009 10:28:00 AM - System Checkpoint

RP1038: 8/01/2009 2:33:19 PM - System Checkpoint

RP1039: 11/01/2009 10:31:42 AM - System Checkpoint

RP1040: 12/01/2009 11:35:09 AM - System Checkpoint

RP1041: 14/01/2009 10:08:39 AM - Software Distribution Service 3.0

RP1042: 15/01/2009 2:21:13 PM - System Checkpoint

RP1043: 15/01/2009 2:43:21 PM - Software Distribution Service 3.0

RP1044: 18/01/2009 9:42:48 PM - System Checkpoint

RP1045: 19/01/2009 10:47:50 AM - Spybot-S&D Spyware removal

RP1046: 19/01/2009 1:07:01 PM - Installed Java 6 Update 11

RP1047: 19/01/2009 5:12:16 PM - Installed Ad-Aware

RP1048: 19/01/2009 9:03:38 PM - Removed iTunes

RP1049: 19/01/2009 9:05:08 PM - Configured iPod for Windows 2005-11-17

RP1050: 19/01/2009 9:06:24 PM - Removed Safari

RP1051: 19/01/2009 9:07:04 PM - Configured iPod for Windows 2005-09-23

RP1052: 19/01/2009 9:31:10 PM - Removed WinZip 12.0

RP1053: 19/01/2009 9:32:28 PM - Installed WinZip 12.0

RP1054: 19/01/2009 9:45:51 PM - Removed Motorola Driver Installation

RP1055: 20/01/2009 6:44:01 AM - Spybot-S&D Spyware removal

RP1056: 20/01/2009 8:35:56 AM - Spybot-S&D Spyware removal

RP1057: 20/01/2009 12:09:20 PM - Spybot-S&D Spyware removal

RP1058: 20/01/2009 12:55:38 PM - Spybot-S&D Spyware removal

RP1059: 21/01/2009 10:54:52 AM - Removed Ad-Aware

RP1060: 21/01/2009 12:20:32 PM - Removed Windows Vista Upgrade Advisor

RP1061: 22/01/2009 10:05:02 AM - ComboFix created restore point

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)

Access IBM

Access IBM Cleanup Utility

Access IBM Message Center

Access IBM Tools

Adobe Acrobat 6.0 Professional

Adobe Flash Player 10 Plugin

Adobe Flash Player 9 ActiveX

Adobe Reader 8.1.3

Agere Systems AC'97 Modem

Apple Mobile Device Support

Apple Software Update

ATI - Software Uninstall Utility

ATI Control Panel

ATI Display Driver

BlackBerry Desktop Software 4.2

Bonjour

Canon CAPT Print Monitor 1.43

Canon LBP3300

Canon ScanGear Toolbox CS 2.2

CCleaner (remove only)

CDDRV_Installer

cgt 2005

Cisco Systems VPN Client 4.8.00.0440

DiscWizard for Windows

e-tax 2004

e-tax 2004 - CGT Module

e-tax 2005

e-tax 2006

ECI Client v5.0.5

EndNote 9.0.1 Volume License Edition

EndNote X.0.2 Volume License Edition

FileNet Desktop eForms

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB952287)

Human Interface Programmer (HIP)

IBM 32-bit SDK for Java 2, v1.4.1

IBM Themes

IBM ThinkPad Battery MaxiMiser and Power Management Features

IBM ThinkPad Keyboard Customizer Utility

IBM TrackPoint Accessibility Features

IBM Update Connector

iiNet Configure Your Broadband

Intel® PRO Network Connections Drivers

Intel® Sebring API

InterVideo WinDVD

ISI ResearchSoft - Export Helper

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 8

J2SE Runtime Environment 5.0 Update 9

Java 2 Runtime Environment, SE v1.4.2_04

Java 6 Update 11

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Java SE Runtime Environment 6 Update 1

KhalInstallWrapper

Logitech Desktop Messenger

Logitech SetPoint

Lotto-Domo Screensaver Screen Saver

Macromedia Flash Player

MagicRotation

Malwarebytes' Anti-Malware

McAfee VirusScan Enterprise

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Ultimate 2007

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

MicroStaff WINASPI

MobileMe Control Panel

Mozilla Firefox (0.8.)

Mozilla Firefox (3.0.5)

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MT4.0

MultiRes (remove only)

Natural Color

Optus Wireless Broadband

PC-Doctor 5 for Windows

Polar UpLink Tool

Polar WebLink 2.4.0

publications 2005

Quicken 2007

Quicken 2008

QuickTime

Radeon Omega Drivers v3.8.252 Setup Files and Tools

Ringtail Image Viewer

Security Update for 2007 Microsoft Office System (KB951550)

Security Update for 2007 Microsoft Office System (KB951944)

Security Update for 2007 Microsoft Office System (KB958439)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft Office Excel 2007 (KB958437)

Security Update for Microsoft Office OneNote 2007 (KB950130)

Security Update for Microsoft Office PowerPoint 2007 (KB951338)

Security Update for Microsoft Office Publisher 2007 (KB950114)

Security Update for Microsoft Office system 2007 (KB954326)

Security Update for Microsoft Office system 2007 (KB956828)

Security Update for Microsoft Office Word 2007 (KB956358)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Visio 2007 (KB947590)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

SILQ v4.0

SILQ v5.0

SILQ v6.0

Sonic DLA

Sonic Express Labeler

Sonic RecordNow!

Sonic Update Manager

SoundMAX

Spybot - Search & Destroy 1.5.2.20

System Update

The Economist Screen Saver

ThinkPad Configuration

ThinkPad EasyEject Utility

ThinkPad FullScreen Magnifier

ThinkPad Hotkey Features Setup

ThinkPad Power Management Driver

ThinkPad Presentation Director

ThinkPad Software Installer

ThinkPad UltraNav Driver

ThinkPad UltraNav Wizard

ThinkVantage Access Connections

ThinkVantage Active Protection System

Update for Microsoft Office Outlook 2007 (KB952142)

Update for Office 2007 (KB946691)

Update for Outlook 2007 Junk Email Filter (kb959141)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Wallpapers

WebFldrs XP

WHO Anthro 2005

Windows Desktop Search 3.01

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Media Connect

Windows Media Format Runtime

Windows Media Player 10

Windows XP Service Pack 3

WinZip 12.0

==== Event Viewer Messages From Past Week ========

19/01/2009 10:09:30 PM, error: Service Control Manager [7034] - The Network Associates McShield service terminated unexpectedly. It has done this 1 time(s).

20/01/2009 6:42:50 AM, error: Service Control Manager [7034] - The TVT Scheduler service terminated unexpectedly. It has done this 1 time(s).

20/01/2009 3:08:02 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.

20/01/2009 9:49:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

20/01/2009 9:50:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ANC atitray Fips IBMTPCHK intelppm magicpvt Smapint TDSMAPI TPHKDRV TPPWR TSMAPIP

20/01/2009 9:50:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

21/01/2009 12:25:42 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atitray

21/01/2009 12:57:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Fax service to connect.

21/01/2009 12:57:19 PM, error: Service Control Manager [7000] - The Fax service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

22/01/2009 7:34:54 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the System Update service to connect.

22/01/2009 7:34:54 AM, error: Service Control Manager [7000] - The System Update service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

21/01/2009 12:21:41 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\ati2mtag.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6547.

==== End Of File ===========================

Fourth, Anti-Malware log

Malwarebytes' Anti-Malware 1.33

Database version: 1675

Windows 5.1.2600 Service Pack 3

22/01/2009 6:47:48 PM

mbam-log-2009-01-22 (18-47-48).txt

Scan type: Quick Scan

Objects scanned: 58885

Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And, finally, HijackThis, run after a reboot:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:54:14 PM, on 22/01/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\MagicRotation\MagicPvt.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\CNAB5RPK.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Canon\DIAS\CnxDIAS.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Lenovo\System Update\SUService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vicbar.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [uC_Start] C:\IBMTools\Updater\ucstartup.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [MagicRotation] C:\Program Files\MagicRotation\MagicPvt.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: Acrobat Assistant.lnk.disabled

O4 - Global Startup: Color Calibration.lnk.disabled

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: WinZip Quick Pick.lnk.disabled

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [JAVA_IBM] Java (IBM)

O15 - Trusted IP range: 152.91.0.2

O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/a...ntent/AcpIR.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab

O16 - DPF: {FDE14979-D821-4CD8-BE1C-9D6AF01D097F} (VMTOCCtrl Class) - http://www.justice.vic.gov.au/emanuals/VSM/vm.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--

End of file - 12781 bytes

Thanks again for all of your help. The laptop certainly seems to be running well now and there don't seem to be any traces of the trojan left?

Link to post
Share on other sites

  • Root Admin

Not done yet unless you want it to come right back.

Start HJT and run Do a system scan only and place a check mark on the following items.

  • O11 - Options group: [JAVA_IBM] Java (IBM)
  • O15 - Trusted IP range: 152.91.0.2
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Adobe Acrobat 6.0 Professional (old and exploited) needs to be updated, removed for security reasons.

Adobe Reader 8.1.3

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

(old and exploited, ALL need to be removed)

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 8

J2SE Runtime Environment 5.0 Update 9

Java 2 Runtime Environment, SE v1.4.2_04

Java

Link to post
Share on other sites

OK, the two additional logs are attached.

First, JavaRa.log

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jan 22 22:22:43 2009

Found and removed: C:\Program Files\Java\j2re1.4.2_04

Found and removed: C:\Program Files\Java\jre1.5.0_06

Found and removed: C:\Program Files\Java\jre1.5.0_08

Found and removed: C:\Program Files\Java\jre1.5.0_11

Found and removed: C:\Program Files\Java\jre1.6.0_01

Found and removed: C:\Program Files\Java\jre1.6.0_02

Found and removed: C:\Program Files\Java\jre1.6.0_03

Found and removed: C:\Program Files\Java\jre1.6.0_05

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_08

Found and removed: Software\JavaSoft\Java2D\1.5.0_09

Found and removed: Software\JavaSoft\Java2D\1.5.0_10

Found and removed: Software\JavaSoft\Java2D\1.5.0_11

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaPlugin.150_08

Found and removed: SOFTWARE\Classes\JavaPlugin.150_09

Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Classes\JavaPlugin.142_04

Found and removed: Software\Classes\JavaPlugin.160_01

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_08\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_11\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_01\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jan 22 22:28:41 2009

------------------------------------

Finished reporting.

And, second, lopR.txt

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3

X86-based PC ( Uniprocessor Free : Intel® Pentium® M processor 1500MHz )

BIOS : Phoenix FirstBIOS Notebook Pro Version 2.0 for IBM ThinkPad

USER : Chris Young ( Administrator )

BOOT : Normal boot

C:\ (Local Disk) - NTFS - Total:24 Go (Free:4 Go)

D:\ (CD or DVD)

E:\ (Local Disk) - FAT32 - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [1] ( Thu 22/01/2009|22:47 )

--------------------\\ Listing folders in APPLIC~1

[21/02/2003|03:20] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities

[20/01/2009|09:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Malwarebytes

[21/02/2003|03:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[20/01/2009|09:56] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Mozilla

[30/05/2004|05:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sonic

[30/05/2004|05:12] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[22/01/2009|09:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe

[09/07/2007|04:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple

[27/11/2006|10:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer

[16/09/2008|05:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software

[19/01/2009|09:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google

[13/08/2008|11:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> IBM

[21/11/2007|09:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> iConnect

[05/06/2007|01:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Installations

[11/04/2007|01:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield

[13/07/2005|08:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit

[21/01/2009|10:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft

[20/04/2008|09:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> LogiShrd

[12/08/2007|11:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Logitech

[20/01/2009|01:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes

[07/12/2007|06:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft

[21/01/2009|12:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft Corporation

[15/01/2009|02:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft Help

[10/06/2004|07:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MSN6

[29/09/2004|02:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Network Associates

[22/01/2009|10:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NOS

[18/04/2007|05:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Office Genuine Advantage

[21/11/2007|09:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> OPEN Networks

[05/06/2007|01:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PC Suite

[11/04/2007|12:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PC-Doctor

[04/07/2004|08:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime

[21/02/2003|03:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI

[16/09/2008|05:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Skype

[21/01/2009|12:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy

[29/09/2004|02:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec

[24/09/2005|04:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[19/01/2009|09:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WinZip

[17/09/2008|10:27] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Adobe

[01/12/2008|01:37] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> AdobeUM

[11/04/2008|12:28] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Apple Computer

[12/04/2007|01:51] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> atitray

[05/06/2007|06:00] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Blackberry Desktop

[15/01/2005|12:25] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Canon

[19/01/2005|02:51] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> CoreFTP

[10/12/2007|10:09] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> EndNote

[22/10/2006|04:20] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Google

[10/06/2004|11:22] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Help

[10/06/2004|07:46] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> IBM

[21/02/2003|03:20] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Identities

[27/11/2008|10:34] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> InstallShield

[10/06/2004|10:56] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> InterVideo

[13/07/2005|08:15] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Intuit

[25/05/2005|03:24] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> iPodder

[04/07/2004|06:48] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> iScreensaver

[10/06/2004|11:33] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Leadertech

[03/02/2007|11:36] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Logitech

[09/06/2004|11:39] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Macromedia

[20/01/2009|02:07] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Malwarebytes

[19/08/2008|01:49] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Microsoft

[27/08/2008|09:10] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Mozilla

[10/06/2004|07:56] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> MSN6

[05/06/2007|01:26] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Nokia

[05/06/2007|01:31] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> PC Suite

[09/06/2004|11:13] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Phoenix

[19/01/2009|09:07] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Real

[05/06/2007|06:03] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Research In Motion

[08/11/2004|06:55] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> RhinoSoft.com

[01/04/2008|01:32] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> skypePM

[10/06/2004|11:33] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Sonic

[22/01/2009|10:36] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Sun

[30/05/2004|05:12] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Symantec

[15/07/2004|03:40] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Talkback

[09/07/2007|04:01] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Uniblue

[07/12/2007|07:08] C:\DOCUME~1\CHRISY~1\APPLIC~1\<DIR> Windows Desktop Search

[21/02/2003|03:20] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities

[21/02/2003|03:02] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[30/05/2004|05:16] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sonic

[30/05/2004|05:12] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[21/05/2007|10:17] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[21/02/2003|03:02] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[19/01/2009 10:18 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[08/12/2007 10:40 AM][--a------] C:\WINDOWS\tasks\BMMTask.job

[22/01/2009 10:40 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT

[18/08/2001 08:00 PM][-r-h-c---] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[06/11/2008|05:20] C:\Program Files\<DIR> Adobe

[11/04/2007|12:08] C:\Program Files\<DIR> Analog Devices

[05/08/2008|02:02] C:\Program Files\<DIR> Apple Software Update

[15/08/2004|10:39] C:\Program Files\<DIR> ArcSoft

[04/09/2007|11:48] C:\Program Files\<DIR> ATI Technologies

[05/01/2009|10:25] C:\Program Files\<DIR> Bonjour

[17/09/2008|10:24] C:\Program Files\<DIR> Canon

[21/01/2009|11:05] C:\Program Files\<DIR> CCleaner

[23/05/2007|03:59] C:\Program Files\<DIR> Cisco Systems

[22/01/2009|10:20] C:\Program Files\<DIR> Common Files

[21/02/2003|03:09] C:\Program Files\<DIR> ComPlus Applications

[03/10/2006|10:54] C:\Program Files\<DIR> CSI

[05/06/2007|01:18] C:\Program Files\<DIR> DIFX

[15/01/2007|11:30] C:\Program Files\<DIR> DiscWizard for Windows

[07/07/2006|04:48] C:\Program Files\<DIR> DivX

[19/01/2009|09:47] C:\Program Files\<DIR> DNTV Live!

[10/07/2006|10:52] C:\Program Files\<DIR> ECIClientV5

[10/12/2007|10:05] C:\Program Files\<DIR> EndNote

[08/02/2005|03:27] C:\Program Files\<DIR> EndNote 8 Demo

[30/10/2006|01:44] C:\Program Files\<DIR> EndNote 9

[10/12/2007|10:17] C:\Program Files\<DIR> EndNote X

[10/07/2006|11:07] C:\Program Files\<DIR> FileNet

[19/01/2009|09:46] C:\Program Files\<DIR> Google

[07/08/2004|06:08] C:\Program Files\<DIR> Griffin Technology

[28/07/2004|05:50] C:\Program Files\<DIR> HighMAT CD Writing Wizard

[25/03/2006|03:32] C:\Program Files\<DIR> HIP

[11/04/2007|12:54] C:\Program Files\<DIR> IBM

[21/11/2007|09:07] C:\Program Files\<DIR> iiNet

[19/01/2009|09:07] C:\Program Files\<DIR> InstallShield Installation Information

[11/04/2007|12:57] C:\Program Files\<DIR> Intel

[11/12/2008|07:22] C:\Program Files\<DIR> Internet Explorer

[11/04/2007|12:02] C:\Program Files\<DIR> InterVideo

[13/07/2005|08:06] C:\Program Files\<DIR> iPodder

[04/10/2004|11:58] C:\Program Files\<DIR> Ipswitch

[22/01/2009|10:37] C:\Program Files\<DIR> Java

[19/01/2009|05:12] C:\Program Files\<DIR> Lavasoft

[01/12/2008|01:21] C:\Program Files\<DIR> Lenovo

[03/02/2007|11:29] C:\Program Files\<DIR> Logitech

[30/05/2004|05:05] C:\Program Files\<DIR> ltmoh

[11/05/2007|03:22] C:\Program Files\<DIR> Lx_cats

[03/02/2007|10:58] C:\Program Files\<DIR> MagicRotation

[21/01/2009|01:09] C:\Program Files\<DIR> Malwarebytes' Anti-Malware

[08/10/2008|10:33] C:\Program Files\<DIR> Messenger

[10/05/2007|06:44] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2

[21/02/2003|03:14] C:\Program Files\<DIR> microsoft frontpage

[07/12/2007|05:58] C:\Program Files\<DIR> Microsoft Office

[10/06/2004|11:37] C:\Program Files\<DIR> Microsoft Visual Studio

[07/12/2007|05:47] C:\Program Files\<DIR> Microsoft Visual Studio 8

[07/12/2007|05:59] C:\Program Files\<DIR> Microsoft Works

[07/12/2007|05:56] C:\Program Files\<DIR> Microsoft.NET

[08/10/2008|10:23] C:\Program Files\<DIR> Movie Maker

[22/01/2009|10:44] C:\Program Files\<DIR> Mozilla Firefox

[07/12/2007|05:58] C:\Program Files\<DIR> MSBuild

[21/02/2003|03:08] C:\Program Files\<DIR> MSN

[21/02/2003|03:09] C:\Program Files\<DIR> MSN Gaming Zone

[13/11/2006|12:58] C:\Program Files\<DIR> MSXML 4.0

[14/07/2007|05:16] C:\Program Files\<DIR> MultiRes

[15/10/2006|08:11] C:\Program Files\<DIR> NASA

[08/10/2008|10:17] C:\Program Files\<DIR> NetMeeting

[29/09/2004|02:43] C:\Program Files\<DIR> Network Associates

[05/06/2007|03:54] C:\Program Files\<DIR> Nokia

[22/01/2009|09:57] C:\Program Files\<DIR> NOS

[30/10/2006|01:48] C:\Program Files\<DIR> OfficeUpdate11

[21/02/2003|03:09] C:\Program Files\<DIR> Online Services

[21/07/2008|04:38] C:\Program Files\<DIR> Optus Wireless Broadband

[24/11/2007|05:15] C:\Program Files\<DIR> OptusNet Cable

[30/12/2005|09:25] C:\Program Files\<DIR> OptusNet DSL Internet

[08/10/2008|10:17] C:\Program Files\<DIR> Outlook Express

[14/07/2007|01:16] C:\Program Files\<DIR> PCDR5

[18/03/2006|11:27] C:\Program Files\<DIR> PC-TV

[01/01/2005|11:38] C:\Program Files\<DIR> PIXELA

[25/04/2007|01:20] C:\Program Files\<DIR> Polar

[24/11/2007|06:25] C:\Program Files\<DIR> Quicken 2004

[24/11/2008|10:28] C:\Program Files\<DIR> QuickTime

[14/07/2007|05:15] C:\Program Files\<DIR> Radeon Omega Drivers

[11/10/2004|12:27] C:\Program Files\<DIR> Real

[07/01/2008|02:16] C:\Program Files\<DIR> RegistryFix

[05/06/2007|05:58] C:\Program Files\<DIR> Research In Motion

[06/02/2007|02:22] C:\Program Files\<DIR> riv

[30/05/2004|05:12] C:\Program Files\<DIR> SBApps

[03/02/2007|10:56] C:\Program Files\<DIR> SEC

[01/10/2008|02:45] C:\Program Files\<DIR> SILQware

[29/01/2007|04:47] C:\Program Files\<DIR> Skype

[11/04/2007|01:06] C:\Program Files\<DIR> Sonic

[25/01/2006|07:31] C:\Program Files\<DIR> Sony Ericsson

[21/01/2009|12:08] C:\Program Files\<DIR> Spybot - Search & Destroy

[08/02/2005|03:31] C:\Program Files\<DIR> Support.com

[30/05/2004|04:26] C:\Program Files\<DIR> Synaptics

[11/04/2007|01:09] C:\Program Files\<DIR> ThinkPad

[21/01/2009|10:03] C:\Program Files\<DIR> Trend Micro

[04/07/2004|05:01] C:\Program Files\<DIR> Uninstall Information

[08/02/2005|01:40] C:\Program Files\<DIR> WinASO

[07/12/2007|06:58] C:\Program Files\<DIR> Windows Desktop Search

[26/02/2006|12:36] C:\Program Files\<DIR> Windows Media Connect

[26/02/2006|12:35] C:\Program Files\<DIR> Windows Media Connect 2

[08/10/2008|10:17] C:\Program Files\<DIR> Windows Media Player

[08/10/2008|10:17] C:\Program Files\<DIR> Windows NT

[23/05/2007|09:22] C:\Program Files\<DIR> WindowsUpdate

[19/01/2009|09:32] C:\Program Files\<DIR> WinZip

[21/02/2003|03:14] C:\Program Files\<DIR> xerox

[19/01/2009|09:44] C:\Program Files\<DIR> Yahoo!

[07/07/2006|04:30] C:\Program Files\<DIR> Zero G Registry

--------------------\\ Listing Folders in C:\Program Files\Common Files

[22/01/2009|09:51] C:\Program Files\Common Files\<DIR> Adobe

[19/01/2009|09:04] C:\Program Files\Common Files\<DIR> Apple

[07/12/2007|06:27] C:\Program Files\Common Files\<DIR> DESIGNER

[23/05/2007|03:59] C:\Program Files\Common Files\<DIR> Deterministic Networks

[11/04/2007|01:07] C:\Program Files\Common Files\<DIR> InstallShield

[13/07/2005|08:16] C:\Program Files\Common Files\<DIR> Intuit

[01/12/2008|01:22] C:\Program Files\Common Files\<DIR> Lenovo

[20/04/2008|09:42] C:\Program Files\Common Files\<DIR> Logishrd

[20/04/2008|09:42] C:\Program Files\Common Files\<DIR> Logitech

[07/01/2008|03:02] C:\Program Files\Common Files\<DIR> Microsoft Shared

[24/11/2007|06:44] C:\Program Files\Common Files\<DIR> Motorola Shared

[21/02/2003|03:10] C:\Program Files\Common Files\<DIR> MSSoap

[29/09/2004|02:42] C:\Program Files\Common Files\<DIR> Network Associates

[21/02/2003|03:03] C:\Program Files\Common Files\<DIR> ODBC

[13/07/2005|08:16] C:\Program Files\Common Files\<DIR> Palo Alto Software

[05/06/2007|03:53] C:\Program Files\Common Files\<DIR> PCSuite

[19/01/2009|09:07] C:\Program Files\Common Files\<DIR> Real

[05/06/2007|05:59] C:\Program Files\Common Files\<DIR> Research In Motion

[10/12/2007|10:08] C:\Program Files\Common Files\<DIR> Risxtd

[21/02/2003|03:10] C:\Program Files\Common Files\<DIR> Services

[30/03/2008|01:18] C:\Program Files\Common Files\<DIR> Skype

[21/02/2003|03:03] C:\Program Files\Common Files\<DIR> SpeechEngines

[11/04/2007|01:06] C:\Program Files\Common Files\<DIR> SureThing Shared

[08/10/2008|10:17] C:\Program Files\Common Files\<DIR> System

[21/01/2009|10:55] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 75 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 22:48:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 0

--------------------\\ Searching for other infections

No other infections found !

[F:6][D:7]-> C:\DOCUME~1\CHRISY~1\LOCALS~1\Temp

[F:11][D:0]-> C:\DOCUME~1\CHRISY~1\Cookies

[F:121][D:4]-> C:\DOCUME~1\CHRISY~1\LOCALS~1\TEMPOR~1\content.IE5

[F:2][D:0]-> C:\Recycled

1 - "C:\Lop SD\LopR_1.txt" - Thu 22/01/2009|22:50 - Option : [1]

--------------------\\ Scan completed at 22:50:21

Link to post
Share on other sites

  • Root Admin

Okay that looks pretty good.

How is the computer running now?

Are there still any signs of an infection?

I'd like to see one more round of MBAM scans (don't forget to update first) and a new HJT logs.

You can re-install your Java now too if you haven't already.

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 11.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 11 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u11-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer
Link to post
Share on other sites

The computer is running well and there don't seem to be any signs of infections remaining.

The Anti-Malware log is:

Malwarebytes' Anti-Malware 1.33

Database version: 1682

Windows 5.1.2600 Service Pack 3

23/01/2009 12:06:07 PM

mbam-log-2009-01-23 (12-06-07).txt

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 134542

Time elapsed: 1 hour(s), 28 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:21:49 PM, on 23/01/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Canon\DIAS\CnxDIAS.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\WINDOWS\system32\CNAB5RPK.EXE

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\MagicRotation\MagicPvt.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vicbar.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [uC_Start] C:\IBMTools\Updater\ucstartup.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [MagicRotation] C:\Program Files\MagicRotation\MagicPvt.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: Acrobat Assistant.lnk.disabled

O4 - Global Startup: Color Calibration.lnk.disabled

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: WinZip Quick Pick.lnk.disabled

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/a...ntent/AcpIR.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab

O16 - DPF: {FDE14979-D821-4CD8-BE1C-9D6AF01D097F} (VMTOCCtrl Class) - http://www.justice.vic.gov.au/emanuals/VSM/vm.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--

End of file - 12235 bytes

Link to post
Share on other sites

  • Root Admin

Start HJT and run Do a system scan only and place a check mark on the following items.

  • O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Update your Anti-Virus and do a Full Scan and you should be good to go.

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Thankyou very much for your prompt and effective responses. I really appreciate it.

My final question is in relation to the recommendations about improving the computer's security. Do you recommend that each of the programs be installed? Also, does a program such as Spyware Blaster do anything that Anti-Malware does not (assuming the purchased version is used)?

Thanks again!

Link to post
Share on other sites

  • Root Admin

Perhaps not all of them, a lot depends on what sites you visit and how you use the computer. The more risky sites such as games, warez, porn, the more chance you'll have of getting infected and will want better protection.

Spyware Blaster does work differently than MBAM and a lot of that tool is also free. Microsoft has even started using that killbit method in their monthly update cycle but I think Spyware Blaster is ahead of them still so good to use it.

Regardless of what product you use there is always a possibility that it can bypass and infect you. This malware is infection stuff is updated every day too and tries new tricks to bypass security software.

I like using Firefox with NoScript and Adblock Plus myself. It takes some time to train it which turns some users off, but it works well at protecting you while surfing unless you just plain ignore stuff and click on stuff you shouldn't be clicking on.

You can read more about it where I posted to another user in the General Forum

http://www.malwarebytes.org/forums/index.p...ost&p=50156

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.