Jump to content

Recommended Posts

Please help me with the following problem, please view the following logs from mcafee, names the trojan as JV/OpenConnection, malwarebytes names it as spyware password xgen, hijackthis (I ran them in that order respectively) and let me know if my computer is still infected? Thank you very much. I really appreciate your help.

Mcafee Scan Log:

4/10/2011 5:16:16 PM Engine version = 5400.1158

4/10/2011 5:16:16 PM AntiVirus DAT version = 6312.0

4/10/2011 5:16:16 PM Number of detection signatures in EXTRA.DAT = None

4/10/2011 5:16:16 PM Names of detection signatures in EXTRA.DAT = None

4/11/2011 6:30:04 AM Deleted SUNET\hle C:\Program Files\Java\jre6\bin\java.exe C:\DOCUME~1\hle\LOCALS~1\temp\jar_cache618925477484472100.tmp JV/OpenConnection (Trojan)

4/11/2011 6:30:06 AM Deleted SUNET\hle C:\Program Files\Java\jre6\bin\java.exe C:\DOCUME~1\hle\LOCALS~1\temp\jar_cache7186001511827882154.tmp JV/OpenConnection (Trojan)

4/11/2011 6:33:09 AM Engine version = 5400.1158

4/11/2011 6:33:09 AM AntiVirus DAT version = 6312.0

4/11/2011 6:33:09 AM Number of detection signatures in EXTRA.DAT = None

4/11/2011 6:33:09 AM Names of detection signatures in EXTRA.DAT = None

4/11/2011 6:53:15 AM Deleted SUNET\hle C:\Program Files\Java\jre6\bin\java.exe C:\DOCUME~1\hle\LOCALS~1\temp\jar_cache2130517355703636600.tmp JV/OpenConnection (Trojan)

4/11/2011 6:53:16 AM Deleted SUNET\hle C:\Program Files\Java\jre6\bin\java.exe C:\DOCUME~1\hle\LOCALS~1\temp\jar_cache725563260620499815.tmp JV/OpenConnection (Trojan)

4/11/2011 5:23:08 PM Engine version = 5400.1158

4/11/2011 5:23:08 PM AntiVirus DAT version = 6313.0

4/11/2011 5:23:08 PM Number of detection signatures in EXTRA.DAT = None

4/11/2011 5:23:08 PM Names of detection signatures in EXTRA.DAT = None

4/11/2011 5:29:48 PM Statistics:

4/11/2011 5:29:48 PM Files scanned: 322520

4/11/2011 5:29:48 PM Files detected: 2

4/11/2011 5:29:48 PM Files cleaned: 0

4/11/2011 5:29:48 PM Files deleted: 2

4/11/2011 5:32:01 PM Engine version = 5400.1158

4/11/2011 5:32:01 PM AntiVirus DAT version = 6313.0

4/11/2011 5:32:01 PM Number of detection signatures in EXTRA.DAT = None

4/11/2011 5:32:01 PM Names of detection signatures in EXTRA.DAT = None

then I ran malwarebytes

Malwarebytes logs:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6330

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/11/2011 5:23:42 PM

mbam-log-2011-04-11 (17-23-42).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|)

Objects scanned: 498596

Time elapsed: 2 hour(s), 50 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{3D33EA2D-CEBB-B392-93B2-A401BC5B20BD} (Spyware.Passwords.XGen) -> Value: {3D33EA2D-CEBB-B392-93B2-A401BC5B20BD} -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\hle\application data\Geaviv\wuac.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\program files\mozilla firefox\null0.20762071130059845.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\documents and settings\hle\local settings\temp\jar_cache3072177209624834361.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\documents and settings\hle\local settings\temp\jar_cache6141114055004062679.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

and this is the Hijackthis log right after malwarebytes finished and laptop was rebooted

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:15:26 PM, on 4/11/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\DTS.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\AtService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\hasplms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Nero\Update\NASvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\WINDOWS\system32\WebUpdateSvc4.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe

C:\Documents and Settings\hle\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pharmacy.su.edu/PharmWeb/Hier/index.cfm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s

O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_Plugin.exe -update plugin

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265341897521

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = su.edu

O17 - HKLM\Software\..\Telephony: DomainName = su.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = su.edu

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = su.edu

O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\WINDOWS\system32\AtService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\WINDOWS\system32\DTS.exe

O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe

O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe

--

End of file - 12761 bytes

Eset Online Scanner is currently scanning.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal an information stealing trojan.

I would counsel you to disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You will need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

With that said, please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thanks for replying. Here's the log files (combo fix and dds logs + dds attach.zip) you requested. I have to attach the combofix log because it is so long that the forum won't let me post the log directly here. If you have any idea, I can repost it.

When I upload the two program dds and combofix to virustotal - it shows that they contain virus themselves according to some antivirus - is that normal?

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by hle at 16:58:39.37 on Thu 04/14/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1992.1164 [GMT -4:00]

.

AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\DTS.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\AtService.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\hasplms.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Nero\Update\NASvc.exe

C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\WINDOWS\system32\WebUpdateSvc4.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\hle\My Documents\Downloads\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://pharmacy.su.edu/PharmWeb/Hier/index.cfm

BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe

mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s

mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\hle\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe

mPolicies-system: HideFastUserSwitching = 1 (0x1)

IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm

IE: Download with IDM - c:\program files\internet download manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265341897521

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll

Notify: igfxcui - igfxdev.dll

Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll

Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\hle\applic~1\mozilla\firefox\profiles\2fn9hbni.default\

FF - prefs.js: browser.startup.homepage - hxxp://pharmacy.su.edu/

FF - component: c:\documents and settings\hle\application data\idm\idmmzcc3\components\idmmzcc.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}

FF - Ext: ??????????: {b065cadc-711c-4074-a257-63df8e2128d7} - %profile%\extensions\{b065cadc-711c-4074-a257-63df8e2128d7}

FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}

FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Ext: Full Flat: {6E1A2A2E-AE2A-4A26-A812-46F54288379E} - %profile%\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E}

FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}

FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Ext: AmbientFox: {c8f71e5b-88f8-42a7-98bb-e4c506161de9} - %profile%\extensions\{c8f71e5b-88f8-42a7-98bb-e4c506161de9}

FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}

FF - Ext: Add N Edit Cookies: {038dc421-b19e-4711-a218-1fd10de9163b} - %profile%\extensions\{038dc421-b19e-4711-a218-1fd10de9163b}

FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\hle\application data\idm\idmmzcc3

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-9-29 143088]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-18 340592]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]

R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-3-19 1680632]

R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2009-3-19 98304]

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2008-9-29 19456]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-9-29 62800]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-6-22 67904]

R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-6-18 94208]

R2 SSIRuntimeService;SSIRuntimeService;c:\program files\software secure, inc\ssiruntimeservice\SSIRuntimeService.exe [2007-9-17 45056]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-8-5 2058776]

R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-5-18 229856]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-8-5 482176]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-6-18 239760]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-18 90360]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-18 42424]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]

S2 SessionLauncher;SessionLauncher;c:\docume~1\admini~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\admini~1\locals~1\temp\dx9\SessionLauncher.exe [?]

S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-3-19 106496]

S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2009-3-19 118784]

S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]

S3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2009-6-18 81280]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-6-22 64432]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-4-30 14336]

.

=============== Created Last 30 ================

.

2011-04-14 20:43:15 -------- d-sha-r- C:\cmdcons

2011-04-14 20:42:23 -------- d-----w- C:\huonglxcbf

2011-04-14 06:28:07 -------- d-----w- c:\docume~1\hle\locals~1\applic~1\PCHealth

2011-04-13 02:44:31 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{1091eaa4-6b78-4e85-8340-4f6fc6041bc0}\mpengine.dll

2011-04-11 10:30:07 -------- d-----w- c:\docume~1\hle\applic~1\Kikau

2011-04-01 00:30:01 95200 ----a-w- c:\windows\system\VBDB300.DLL

2011-04-01 00:30:01 394384 ----a-w- c:\windows\system\VBRUN300.DLL

2011-04-01 00:30:01 -------- d---a-w- c:\program files\McGraw

2011-03-24 00:51:36 -------- d-----w- c:\docume~1\hle\applic~1\SPSSInc

2011-03-23 02:58:10 -------- d-----w- c:\documents and settings\hle\.spss

2011-03-23 02:50:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\SafeNet Sentinel

2011-03-23 02:48:28 -------- d-----w- c:\program files\common files\SPSS

2011-03-23 02:48:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\SPSS

2011-03-23 02:48:24 -------- d-----w- c:\program files\common files\SPSSInc

2011-03-23 02:47:48 -------- d-----w- c:\program files\SPSSInc

2011-03-23 02:47:33 1025 ----a-w- c:\windows\system32\sysprs7.dll

.

==================== Find3M ====================

.

2011-02-26 03:38:47 1522424 ----a-w- c:\windows\My Farm Life Uninstaller.exe

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

============= FINISH: 16:59:01.70 ===============

Combo log.zip

Attach.zip

Link to post
Share on other sites

  • Staff

Hi,

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This goes for uTorrent and anything else you have installed. It's probably how you were infected to begin with.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.