Jump to content

Unable to run any executable


gobowsgo
 Share

Recommended Posts

I just got hit with a bad popup attack. Most of the popups indicate a "Windows Security Alert", "Antivirus System Pro alert" or something similar and I cannot run either mbam.exe or hijackthis because a popup indicates "Application cannot be executed. Do you want to activeate your antivirus software now?". How do I even get started so that I can get logs for someone to help me? Thanks

Link to post
Share on other sites

Hello gobowsgo

Welcome to Malwarebytes.

=====================

Please save these programs to your computer prior to booting into Safe Mode.

Then boot into Safe Mode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Then follow the below instructions:

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs

    %SYSTEMDRIVE%\*.exe

    /md5start

    eventlog.dll

    scecli.dll

    netlogon.dll

    cngaudit.dll

    sceclt.dll

    ntelogon.dll

    logevent.dll

    iaStor.sys

    nvstor.sys

    atapi.sys

    IdeChnDr.sys

    viasraid.sys

    AGP440.sys

    vaxscsi.sys

    nvatabus.sys

    viamraid.sys

    nvata.sys

    nvgts.sys

    iastorv.sys

    ViPrt.sys

    eNetHook.dll

    /md5stop

    CREATERESTOREPOINT


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

===========

Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Link to post
Share on other sites

Hi, thanks for your help.

I downloaded the programs. Running OTL, I get a error message "C:\Documents and Settings\glee\Desktop\OTL.exe is not a valid Win32 application".

Running the GMER program, I have the following results.log:

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit quick scan 2009-11-30 09:13:55

Windows 5.1.2600 Service Pack 3

Running: puju9yjb.exe; Driver: C:\DOCUME~1\glee\LOCALS~1\Temp\uxtdipog.sys

---- System - GMER 1.0.15 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF75B22A8]

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF75BD910]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A2FAD20

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Modules - GMER 1.0.15 ----

Module _________ F747C000-F7494000 (98304 bytes)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

First temporarily disable any antivirus program or any real time shields that are present:

If you do not know how then you can refer to this link:

http://www.bleepingcomputer.com/forums/topic114351.html

================

Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah.pif then save it to your desktop.

Link 1

Link 2

--------------------------------------------------------------------

Double click on kahdah.pif & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

Link to post
Share on other sites

I couldn't get the antivirus realtime to stop but combofix still ran. I can now start in normal mode without the massive popup swarm but internet access on that machine is dead. Thanks.

================================================

ComboFix 09-11-30.02 - glee 11/30/2009 17:42.5.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3054.2693 [GMT -8:00]

Running from: c:\documents and settings\glee\Desktop\kahdah.pif.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\glee\Local Settings\Application Data\dyamcb

c:\documents and settings\glee\Local Settings\Application Data\dyamcb\cfagsysguard.exe

C:\LOG.TXT

.

((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))

.

2009-11-30 16:01 . 2009-11-30 16:01 292352 ----a-w- C:\puju9yjb.exe

2009-11-25 03:43 . 2009-11-18 16:08 554480 ----a-w- c:\documents and settings\All Users\Application Data\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT\appupdater32.exe

2009-11-25 03:43 . 2009-11-18 16:08 553968 ----a-w- c:\documents and settings\All Users\Application Data\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT\appupdater64.exe

2009-11-25 03:43 . 2009-11-12 16:28 13888 ----a-w- c:\documents and settings\All Users\Application Data\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT\LTTCheck.exe

2009-11-21 06:09 . 2009-10-29 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2eba05.vdb\ECMSVR32.DLL

2009-11-21 06:09 . 2009-09-09 00:24 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2eba05.vdb\CCERASER.DLL

2009-11-21 06:09 . 2009-08-22 05:34 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2eba05.vdb\NAVEX15.SYS

2009-11-21 06:09 . 2009-08-22 05:34 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2eba05.vdb\NAVENG.SYS

2009-11-21 06:09 . 2009-08-22 05:33 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2eba05.vdb\NAVEX32A.DLL

2009-11-21 06:09 . 2009-08-22 05:33 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2eba05.vdb\NAVENG32.DLL

2009-11-21 06:09 . 2009-08-18 00:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2eba05.vdb\ERASER.SYS

2009-11-21 06:09 . 2009-08-18 00:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2eba05.vdb\EECTRL.SYS

2009-11-21 06:08 . 2009-11-21 06:08 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ee805.vdb\NAVENG.SYS

2009-11-21 06:08 . 2009-11-21 06:08 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ee805.vdb\EECTRL.SYS

2009-11-21 06:08 . 2009-11-21 06:08 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ee805.vdb\CCERASER.DLL

2009-11-21 06:08 . 2009-11-21 06:08 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ee805.vdb\ECMSVR32.DLL

2009-11-21 06:08 . 2009-11-21 06:08 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ee805.vdb\NAVENG32.DLL

2009-11-21 06:08 . 2009-11-21 06:08 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ee805.vdb\NAVEX32A.DLL

2009-11-21 06:08 . 2009-11-21 06:08 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ee805.vdb\NAVEX15.SYS

2009-11-21 06:08 . 2009-11-21 06:08 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ee805.vdb\ERASER.SYS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-30 16:12 . 2008-09-05 23:15 40 ----a-w- c:\windows\system32\profile.dat

2009-11-30 16:12 . 2009-05-19 00:45 12 ----a-w- c:\windows\bthservsdp.dat

2009-11-30 04:37 . 2009-10-25 15:52 -------- d-----w- c:\program files\Malwarebytes Anti-Malware

2009-11-24 03:04 . 2007-09-06 19:14 -------- d-----w- c:\program files\NET6

2009-11-17 03:57 . 2009-05-16 21:47 -------- d-----w- c:\program files\Starcraft

2009-11-01 01:06 . 2009-10-25 01:06 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2009-11-01 01:06 . 2009-10-25 01:06 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2009-11-01 01:06 . 2009-10-25 01:06 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2009-11-01 01:06 . 2009-10-28 01:08 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll

2009-11-01 01:06 . 2009-10-25 01:06 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2009-11-01 01:06 . 2009-10-25 01:06 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll

2009-11-01 01:06 . 2009-10-25 01:04 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2009-11-01 01:06 . 2009-10-25 01:04 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2009-11-01 01:06 . 2009-10-25 01:04 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2009-10-28 01:09 . 2009-10-28 01:09 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2009-10-28 01:09 . 2009-10-28 01:09 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys

2009-10-28 01:09 . 2009-10-28 01:09 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll

2009-10-28 01:09 . 2009-10-28 01:09 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-10-28 01:08 . 2009-10-25 01:06 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll

2009-10-28 01:08 . 2009-10-28 01:08 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll

2009-10-28 01:08 . 2009-10-25 01:06 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2009-10-28 01:08 . 2009-10-28 01:08 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll

2009-10-28 01:08 . 2009-10-28 01:08 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll

2009-10-28 01:08 . 2009-10-28 01:08 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2009-10-28 01:08 . 2009-10-25 01:05 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2009-10-28 01:08 . 2009-10-25 01:05 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2009-10-28 01:07 . 2009-10-25 01:05 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2009-10-28 01:07 . 2009-10-25 01:04 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2009-10-28 01:06 . 2009-10-25 01:04 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2009-10-28 01:06 . 2009-10-25 01:04 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2009-10-26 23:47 . 2009-10-26 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-10-26 01:17 . 2009-10-26 01:17 -------- d-----w- c:\documents and settings\glee\Application Data\U3

2009-10-25 23:11 . 2009-10-25 23:11 -------- d-----w- c:\program files\Trend Micro

2009-10-25 01:06 . 2009-10-25 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-10-25 01:03 . 2009-10-25 01:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2009-10-25 01:03 . 2009-10-25 01:03 -------- d-----w- c:\program files\Lavasoft

2009-10-25 00:44 . 2009-10-25 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-04 21:03 . 2004-08-04 07:56 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-03 09:17 . 2009-10-25 04:39 15688 ----a-w- c:\windows\system32\lsdelete.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-10-26_04.40.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2001-08-23 12:00 . 2009-12-01 01:31 71904 c:\windows\system32\perfc009.dat

+ 2007-09-05 11:17 . 2009-10-27 00:39 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2007-09-05 11:17 . 2008-12-30 01:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2007-09-05 11:17 . 2009-10-27 00:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2007-09-05 11:17 . 2008-12-30 01:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2001-08-23 12:00 . 2009-12-01 01:31 444028 c:\windows\system32\perfh009.dat

+ 2009-10-20 00:27 . 2009-10-20 00:27 401008 c:\windows\Downloaded Program Files\fslauncher.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-06 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-06 512000]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-07 200704]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-07 208896]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]

"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-03-23 120368]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-10 8495104]

"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-12-20 60704]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-10 868352]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-10 81920]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 1044480]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]

"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-03-17 124656]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-08 1468296]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes Anti-Malware\mbam.exe" [bU]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-10 1626112]

"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\glee\Start Menu\Programs\Startup\

MXIE.lnk - c:\program files\Zultys\MXIE\Bin\mxie.exe [2007-2-20 6930432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 576104]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-15 50688]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-8-3 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2007-08-14 23:54 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-07 00:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2006-12-14 18:06 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JobManagerService.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMAdmin.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMPassword.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\ScriptHostService.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CommonFiles\\intel\\AnsysWBU.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\ANSYS\\bin\\intel\\ANSYS.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ActivePIMgrU.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ReaderHostU.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\tclsh.exe"=

"c:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\wish.exe"=

"c:\\Program Files\\NET6\\net6vpn.exe"=

"c:\\ptc\\proiclient3.4\\i486_nt\\nms\\nmsd.exe"=

"c:\\ptc\\proiclient3.4\\i486_nt\\jre\\bin\\javaw.exe"=

"c:\\ptc\\wf3\\i486_nt\\obj\\pro_comm_msg.exe"=

"c:\\ptc\\wf3\\i486_nt\\obj\\xtop.exe"=

"c:\\Program Files\\Zultys\\MXIE\\Bin\\mxie.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Roger Wilco\\roger.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Common Files\\Symantec Shared\\SNDSrvc.exe"=

"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=

"c:\\Program Files\\Lenovo\\System Update\\SUService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [9/6/2007 9:24 AM 155136]

R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [9/6/2007 9:24 AM 5248]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/24/2009 5:06 PM 64288]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504]

R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [9/6/2007 11:14 AM 44672]

S2 JobManagerService110;Ansys JobManager Service V11;c:\program files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe [9/20/2007 6:31 PM 20480]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1179232]

S2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]

S2 ScriptHostService110;Ansys ScriptHost Service V11;c:\program files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe [9/20/2007 6:31 PM 20480]

S2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [8/14/2007 3:46 PM 10896]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/2/2009 7:21 PM 102448]

S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\glee\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\glee\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]

S3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [6/8/2007 8:36 AM 81280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 01:06]

2009-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-11-30 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-09-06 09:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://tools/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm

FF - ProfilePath - c:\documents and settings\glee\Application Data\Mozilla\Firefox\Profiles\ismml5og.default\

FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/

FF - plugin: c:\documents and settings\glee\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-gtgnqrct - c:\documents and settings\glee\Local Settings\Application Data\dyamcb\cfagsysguard.exe

HKLM-Run-gtgnqrct - c:\documents and settings\glee\Local Settings\Application Data\dyamcb\cfagsysguard.exe

AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE

AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-30 17:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1124)

c:\windows\system32\vrlogon.dll

c:\windows\system32\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infra.dll

c:\program files\ThinkVantage Fingerprint Software\homepass.dll

c:\program files\ThinkVantage Fingerprint Software\bio.dll

c:\program files\ThinkVantage Fingerprint Software\ps2css.dll

c:\program files\ThinkVantage Fingerprint Software\remote.dll

c:\program files\Lenovo\HOTKEY\tphklock.dll

c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(1180)

c:\windows\system32\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infra.dll

.

Completion time: 2009-11-30 17:46

ComboFix-quarantined-files.txt 2009-12-01 01:46

ComboFix2.txt 2009-10-30 02:11

ComboFix3.txt 2009-10-26 23:20

ComboFix4.txt 2009-10-26 04:41

Pre-Run: 131,144,736,768 bytes free

Post-Run: 131,201,609,728 bytes free

- - End Of File - - F89E9DAE409504770C4814399340ACC1

Link to post
Share on other sites

I was able to get Hijack This to run. Here is the log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:51:32 PM, on 11/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe

C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe

C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\lenovo\system update\suservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\D-Tools\daemon.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\WINDOWS\system32\TpShocks.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes Anti-Malware\mlogon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tools/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes Anti-Malware\mbam.exe" /runcleanupscript

O4 - Startup: MXIE.lnk = C:\Program Files\Zultys\MXIE\Bin\mxie.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189036841709

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-307.ibm.com/pc/support/IbmEgath.cab

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

O23 - Service: Ansys JobManager Service V11 (JobManagerService110) - Ansys, Inc - C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe

O23 - Service: Ansys ScriptHost Service V11 (ScriptHostService110) - Ansys, Inc. - C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--

End of file - 12035 bytes

Link to post
Share on other sites

It is because the malware set a proxy.

Do the following.

Reopen hijackthis and choose " Do a System scan only" put a check mark next to this entry:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

Click on Fix checked then close Hijackthis.

After that mbam will update.

==========================

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Thanks! Here is the log from MBAM. Running ESET next.

Malwarebytes' Anti-Malware 1.41

Database version: 3267

Windows 5.1.2600 Service Pack 3

12/1/2009 7:36:26 AM

mbam-log-2009-12-01 (07-36-26).txt

Scan type: Quick Scan

Objects scanned: 158569

Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=45315

esets_scanner_update returned -1 esets_gle=45315

# version=7

# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=cbf597eeb9adac4d93ec5d75b5ff9159

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=false

# utc_time=2009-12-01 05:05:57

# local_time=2009-12-01 09:05:57 (-0800, Pacific Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 3086324 3086324 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=128104

# found=2

# cleaned=2

# scan_time=2123

C:\Qoobox\Quarantine\C\Documents and Settings\glee\Local Settings\Application Data\dyamcb\cfagsysguard.exe.vir Win32/Adware.SpyProtector.N application (cleaned by deleting - quarantined) 72899C187778011622559D7E159B1BCA C

C:\System Volume Information\_restore{5A7DAAAE-288C-450D-B843-62619B0CCA8C}\RP197\A0021119.exe Win32/Adware.SpyProtector.N application (cleaned by deleting - quarantined) 72899C187778011622559D7E159B1BCA C

Link to post
Share on other sites

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

======Next======

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set. :thumbsup:

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.