1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Hope to get Help here... Trojan Problem

Discussion in 'Virus & Other Malware Removal' started by sudeepji, Sep 25, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. sudeepji

    sudeepji Thread Starter

    Joined:
    Sep 24, 2008
    Messages:
    19
    Hi,

    I believe finally I got a site which would help me solving my problem. Seems to be a great site.. Thanks all techie guys here...

    Well my problem is that my lappi suffered from virtumunde trojan last week.. I have zonealarm which is updated regularly, but it was not detecting this trojan.. My internet explorer was running very slowly and opening unwanted sites.. Scanned my system with spyware doctor, Normal Malware, vundofix (Also in safe mode)... I was able to clean this virtumunde (I believe so, because spyware doctor no more finding it now)

    opening of unwanted sites was stopped... But I am still facing a problem of interent explorer slowing down while opening some sites... doesnt work for gmail, google search, yahoo mail, naukri, etc etc... I am really bugged up... Then I tried bhodamon and disable all the add ons... even Firefox has same problem... But unable to solve my problem... Kindly help me guys....


    God Bless You All (y)...


    Here is the hijack log :
    --------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:57:54 PM, on 9/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (disabled by BHODemon)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (disabled by BHODemon)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (disabled by BHODemon)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (disabled by BHODemon)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [BMa728ef1d] Rundll32.exe "C:\WINDOWS\system32\subbwyxv.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    O4 - HKCU\..\Run: [each default] C:\DOCUME~1\Bhagwan\APPLIC~1\FIVEDU~1\Junk tool stop.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163697208468
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: rqRJBTJB - rqRJBTJB.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    --
    End of file - 11279 bytes
     
  2. sudeepji

    sudeepji Thread Starter

    Joined:
    Sep 24, 2008
    Messages:
    19
    Anybody ??
     
  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hi and welcome :)

    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • ...
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  4. sudeepji

    sudeepji Thread Starter

    Joined:
    Sep 24, 2008
    Messages:
    19
    Hey Thanks Buddy, I did exactly what you told.. Here is the combofix report alongwith hijackthis report afterwards. Kindly review...


    ComboFix 08-09-25.03 - Bhagwan 2008-09-25 23:26:58.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.202 [GMT 5.5:30]
    Running from: C:\Documents and Settings\Bhagwan\Desktop\ComboFix.exe
    * Created a new restore point
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Documents and Settings\Bhagwan\Local Settings\Temporary Internet Files\SuggestedSites.dat
    C:\WINDOWS\BMa728ef1d.txt
    C:\WINDOWS\BMa728ef1d.xml
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\bdkeibjj.ini
    C:\WINDOWS\system32\ffxvbmgn.ini
    C:\WINDOWS\system32\fnvcqlpt.ini
    C:\WINDOWS\system32\gqnkfpst.ini
    C:\WINDOWS\system32\kijljhyn.ini
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\mdm.exe
    C:\WINDOWS\system32\rggwwtga.ini
    C:\WINDOWS\system32\uDLlRXyb.ini
    C:\WINDOWS\system32\ypbvltbr.ini
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_POWERMANAGER

    ((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
    .
    2008-09-24 22:40 . 2008-09-24 22:41 <DIR> d-------- C:\Program Files\SpyNoMore
    2008-09-22 22:49 . 2008-09-22 22:49 <DIR> d-------- C:\VundoFix Backups
    2008-09-21 13:59 . 2008-09-21 13:59 <DIR> d--hs---- C:\Documents and Settings\Bhagwan\PrivacIE
    2008-09-21 13:42 . 2006-10-17 13:06 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
    2008-09-21 13:42 . 2006-10-17 13:06 78,336 --a------ C:\WINDOWS\system32\dllcache\ieencode.dll
    2008-09-21 09:58 . 2008-09-25 21:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-09-20 22:06 . 2008-09-20 22:06 114,688 --a------ C:\WINDOWS\system32\gkyfvmxn.dll
    2008-09-19 22:12 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-09-19 22:12 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-09-19 22:12 . 2008-09-19 22:21 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-09-19 22:12 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-09-19 22:11 . 2008-09-20 18:44 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-09-19 22:11 . 2008-09-19 22:11 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\PC Tools
    2008-09-19 21:45 . 2008-09-19 21:45 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\Uniblue
    2008-09-19 21:44 . 2008-09-19 21:44 <DIR> d-------- C:\Program Files\Uniblue
    2008-09-18 22:21 . 2008-09-18 22:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-09-18 22:19 . 2008-09-18 22:43 <DIR> d-------- C:\Documents and Settings\Bhagwan\.housecall6.6
    2008-09-18 21:33 . 2008-09-18 21:33 89,600 --a------ C:\WINDOWS\system32\agtwwggr.dll
    2008-09-18 21:31 . 2008-09-18 21:31 112,640 --a------ C:\WINDOWS\system32\odcshpmt.dll
    2008-09-18 21:31 . 2008-09-18 21:31 112,640 --a------ C:\WINDOWS\system32\kxbhur.dll
    2008-09-16 21:35 . 2008-09-16 21:35 112,128 --a------ C:\WINDOWS\system32\xtvapr.dll
    2008-09-16 21:35 . 2008-09-16 21:35 112,128 --a------ C:\WINDOWS\system32\hdsurtcy.dll
    2008-09-15 20:05 . 2008-09-15 20:05 112,128 --a------ C:\WINDOWS\system32\etwlhz.dll
    2008-09-15 20:05 . 2008-09-15 20:05 112,128 --a------ C:\WINDOWS\system32\cvhboxjs.dll
    2008-09-14 22:22 . 2008-09-14 22:22 111,616 --a------ C:\WINDOWS\system32\zifbyl.dll
    2008-09-14 22:21 . 2008-09-14 22:22 111,616 --a------ C:\WINDOWS\system32\agsqrpwh.dll
    2008-09-14 22:18 . 2008-09-20 22:30 381,920 --ahs---- C:\WINDOWS\system32\uDLlRXyb.ini2
    2008-09-14 22:18 . 2008-09-14 22:19 99,328 --------- C:\WINDOWS\system32\subbwyxv.dll
    2008-09-14 21:59 . 2008-09-14 21:59 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\MailFrontier
    2008-09-14 21:58 . 2008-09-25 23:34 112,732,960 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-09-14 21:58 . 2008-09-25 23:30 1,511,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-09-14 21:53 . 2008-09-14 21:53 <DIR> d-------- C:\Program Files\Zone Labs
    2008-09-14 21:53 . 2008-08-10 21:42 1,221,008 --a------ C:\WINDOWS\system32\zpeng25.dll
    2008-09-14 21:53 . 2008-08-10 21:42 72,592 --a------ C:\WINDOWS\zllsputility.exe
    2008-09-14 21:52 . 2008-09-25 23:32 349,222 --a------ C:\WINDOWS\system32\vsconfig.xml
    2008-09-14 14:13 . 2008-09-14 14:13 <DIR> d-------- C:\Program Files\Unlocker
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-25 17:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-21 09:48 --------- d-----w C:\Program Files\Google
    2008-09-20 19:12 --------- d-----w C:\Program Files\Folder Lock
    2008-09-20 19:07 --------- d-----w C:\Program Files\BitTorrent
    2008-09-20 15:08 --------- d-----w C:\Documents and Settings\Bhagwan\Application Data\BitTorrent
    2008-09-15 12:35 1,229,312 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
    2008-09-14 09:24 60,416 ----a-w C:\WINDOWS\system32\rbap350.dll
    2008-09-14 09:24 54,784 ----a-w C:\WINDOWS\system32\RBQT350.DLL
    2008-09-11 14:50 60,416 ----a-w C:\WINDOWS\rbap350.dll
    2008-09-11 14:50 54,784 ----a-w C:\WINDOWS\RBQT350.DLL
    2008-08-31 15:20 --------- d-----w C:\Program Files\Java
    2008-08-05 12:25 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
    2008-08-01 15:36 --------- d-----w C:\Program Files\Sun
    2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-18 16:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-18 16:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-07-01 02:19 16,234,924 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
    1998-12-08 21:23 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
    1998-12-08 21:23 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
    1998-12-08 21:23 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
    1998-12-08 21:23 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
    1998-12-08 21:23 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
    1998-12-08 21:23 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2006-06-02 36864]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-22 68856]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
    "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
    "TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
    "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 856064]
    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-01-21 135168]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-09 110592]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-09 512000]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2006-09-08 146944]
    "TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 131072]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 163840]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 135168]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-09 185896]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-10 981904]
    "BMa728ef1d"="C:\WINDOWS\system32\subbwyxv.dll" [2008-09-14 99328]
    "TpShocks"="TpShocks.exe" [2006-03-15 C:\WINDOWS\system32\TpShocks.exe]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-01 622653]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-05 24576]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
    Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"= 0 (0x0)
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-11-30 20:16 24576 C:\WINDOWS\system32\tphklock.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    --a------ 2006-06-15 12:36 229376 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-08-06 23:13 98304 C:\Program Files\QuickTime\qttask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-05-09 22:32 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2007-01-19 12:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "BMa728ef1d"=Rundll32.exe "C:\WINDOWS\system32\subbwyxv.dll",s
    "a41bdc81"=rundll32.exe "C:\WINDOWS\system32\agtwwggr.dll",b
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "21954:TCP"= 21954:TCP:BitComet 21954 TCP
    "21954:UDP"= 21954:UDP:BitComet 21954 UDP
    R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2006-03-15 88576]
    R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 14208]
    R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 11520]
    R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 2432]
    R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 4736]
    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-01-21 4442]
    R2 FLYCAM;FlyCam, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\flycam.sys [2006-01-12 705408]
    R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 6016]
    S2 CameraServer;CameraServer;c:\FlyCam\CameraServer.exe [ ]
    S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\Bhagwan\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [ ]
    S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 12288]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26fa9fe2-c9c7-11dc-90a0-00166f90eb62}]
    \Shell\Auto\command - MicrosoftPowerPoint.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b645eab-0f7b-11dc-8ecd-00166f90eb62}]
    \Shell\AutoRun\command - EXPLORER.EXE
    \Shell\explore\Command - EXPLORER.EXE
    \Shell\open\Command - EXPLORER.EXE
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -
    HKCU-Run-each default - C:\DOCUME~1\Bhagwan\APPLIC~1\FIVEDU~1\Junk tool stop.exe
    HKLM-Run-osCheck - C:\Program Files\Norton Internet Security\osCheck.exe
    ShellExecuteHooks-{9E563692-6E8F-4DB6-BA56-42EF3BA3F84F} - (no file)
    Notify-rqRJBTJB - rqRJBTJB.dll
    MSConfigStartUp-ICQ Lite - C:\Program Files\ICQLite\ICQLite.exe

    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Bhagwan\Application Data\Mozilla\Firefox\Profiles\i6cfkz79.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
    FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
    .
    **************************************************************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-25 23:33:23
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files:
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\tphklock.dll
    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\WINDOWS\system32\subbwyxv.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
    C:\WINDOWS\system32\QCONSVC.EXE
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\system32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSvc.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-25 23:35:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-25 18:05:39
    Pre-Run: 1,776,345,088 bytes free
    Post-Run: 2,587,348,992 bytes free
    261 --- E O F --- 2008-09-11 17:36:44


    ##################################################


    Hijackthis report :-

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:40:14 PM, on 9/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [BMa728ef1d] Rundll32.exe "C:\WINDOWS\system32\subbwyxv.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163697208468
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    --
    End of file - 9520 bytes
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply with a new hijackthis log.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
     
  6. sudeepji

    sudeepji Thread Starter

    Joined:
    Sep 24, 2008
    Messages:
    19
    Hey Cheeseball,

    Thanks a lot buddy... I did what you told... here is the mbam report file along with hijack log below. Please review...

    -----------------------

    Malwarebytes' Anti-Malware 1.28
    Database version: 1209
    Windows 5.1.2600 Service Pack 2
    9/26/2008 6:58:29 PM
    mbam-log-2008-09-26 (18-58-29).txt
    Scan type: Quick Scan
    Objects scanned: 59484
    Time elapsed: 22 minute(s), 34 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 3
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 35
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    C:\WINDOWS\system32\subbwyxv.dll (Trojan.Vundo) -> Delete on reboot.
    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bma728ef1d (Trojan.Vundo) -> Delete on reboot.
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\WINDOWS\system32\subbwyxv.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\gkyfvmxn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cvhboxjs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\etwlhz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hdsurtcy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\odcshpmt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\agsqrpwh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\agtwwggr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\kxbhur.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xtvapr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\zifbyl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BMa728ef1d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BMa728ef1d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_114_Sudha_7D.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_115.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_116.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_117.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_119.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\IHC_PPM (LLC Company) AM Comments (clean) (2).doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\~WRD2422.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\dd_netfx20MSI5668.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\dd_netfx20UI5668.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\buildabear2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\carlsjrburger.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\football2006.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\grudge2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\mandmsdark.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\nordstrom5.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\poptartsotc.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\tampax.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\vwchocolate.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\wellsfargo2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Local Settings\Temp\ysmash.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
    C:\Documents and Settings\sudeep\Desktop\sudha.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.

    ---------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:07:01 PM, on 9/26/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163697208468
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    --
    End of file - 10045 bytes
     
  7. sudeepji

    sudeepji Thread Starter

    Joined:
    Sep 24, 2008
    Messages:
    19
    Well I think the my problem is solved now... IE is working very well..

    Thanks a lot for this support bro... Kindly review if everything all right.
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You're welcome :)

    I would still like to see one last log from ComboFix. I think MBAM got rid of most of the leftovers.
     
  9. sudeepji

    sudeepji Thread Starter

    Joined:
    Sep 24, 2008
    Messages:
    19
    Thanks Buddy... Here is the combofix log.. kindly review :

    ComboFix 08-09-26.06 - Bhagwan 2008-09-27 23:24:57.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.72 [GMT 5.5:30]
    Running from: C:\Documents and Settings\Bhagwan\Desktop\ComboFix.exe
    * Created a new restore point
    * Resident AV is active

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
    .
    2008-09-26 20:30 . 2008-09-26 20:30 <DIR> d-------- C:\Program Files\Common Files\Lenovo
    2008-09-26 18:28 . 2008-09-26 18:28 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\Malwarebytes
    2008-09-26 18:28 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-26 18:27 . 2008-09-26 18:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-26 18:27 . 2008-09-26 18:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-26 18:27 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-24 22:40 . 2008-09-24 22:41 <DIR> d-------- C:\Program Files\SpyNoMore
    2008-09-22 22:49 . 2008-09-22 22:49 <DIR> d-------- C:\VundoFix Backups
    2008-09-21 13:59 . 2008-09-21 13:59 <DIR> d--hs---- C:\Documents and Settings\Bhagwan\PrivacIE
    2008-09-21 13:42 . 2006-10-17 13:06 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
    2008-09-21 13:42 . 2006-10-17 13:06 78,336 --a------ C:\WINDOWS\system32\dllcache\ieencode.dll
    2008-09-21 09:58 . 2008-09-27 23:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-09-19 22:12 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-09-19 22:12 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-09-19 22:12 . 2008-09-19 22:21 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-09-19 22:12 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-09-19 22:11 . 2008-09-20 18:44 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-09-19 22:11 . 2008-09-19 22:11 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\PC Tools
    2008-09-19 21:45 . 2008-09-19 21:45 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\Uniblue
    2008-09-19 21:44 . 2008-09-19 21:44 <DIR> d-------- C:\Program Files\Uniblue
    2008-09-18 22:21 . 2008-09-18 22:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-09-18 22:19 . 2008-09-18 22:43 <DIR> d-------- C:\Documents and Settings\Bhagwan\.housecall6.6
    2008-09-14 22:18 . 2008-09-20 22:30 381,920 --ahs---- C:\WINDOWS\system32\uDLlRXyb.ini2
    2008-09-14 21:59 . 2008-09-14 21:59 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\MailFrontier
    2008-09-14 21:58 . 2008-09-27 23:30 120,318,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-09-14 21:58 . 2008-09-26 22:56 1,567,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-09-14 21:53 . 2008-09-14 21:53 <DIR> d-------- C:\Program Files\Zone Labs
    2008-09-14 21:53 . 2008-08-10 21:42 1,221,008 --a------ C:\WINDOWS\system32\zpeng25.dll
    2008-09-14 21:53 . 2008-08-10 21:42 72,592 --a------ C:\WINDOWS\zllsputility.exe
    2008-09-14 21:52 . 2008-09-27 23:04 349,222 --a------ C:\WINDOWS\system32\vsconfig.xml
    2008-09-14 14:13 . 2008-09-14 14:13 <DIR> d-------- C:\Program Files\Unlocker
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-27 17:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-09-26 15:00 --------- d-----w C:\Program Files\Lenovo
    2008-09-21 09:48 --------- d-----w C:\Program Files\Google
    2008-09-20 19:12 --------- d-----w C:\Program Files\Folder Lock
    2008-09-20 19:07 --------- d-----w C:\Program Files\BitTorrent
    2008-09-20 15:08 --------- d-----w C:\Documents and Settings\Bhagwan\Application Data\BitTorrent
    2008-09-15 12:35 1,229,312 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
    2008-09-11 14:50 60,416 ----a-w C:\WINDOWS\rbap350.dll
    2008-09-11 14:50 54,784 ----a-w C:\WINDOWS\RBQT350.DLL
    2008-08-31 15:20 --------- d-----w C:\Program Files\Java
    2008-08-01 15:36 --------- d-----w C:\Program Files\Sun
    2008-07-01 02:19 16,234,924 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
    1998-12-08 21:23 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
    1998-12-08 21:23 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
    1998-12-08 21:23 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
    1998-12-08 21:23 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
    1998-12-08 21:23 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
    1998-12-08 21:23 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
    .
    ((((((((((((((((((((((((((((( [email protected]_23.34.54.14 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2006-08-17 12:28:27 721,920 -c----w C:\WINDOWS\$NtUninstallKB943485$\lsasrv.dll
    + 2006-08-17 12:28:27 721,920 -c----w C:\WINDOWS\$NtUninstallKB943485_0$\lsasrv.dll
    + 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB943485_0$\spuninst\spuninst.exe
    + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB943485_0$\spuninst\updspapi.dll
    + 2008-09-26 15:36:27 25,214 ----a-r C:\WINDOWS\Installer\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}\ARPPRODUCTICON.exe
    + 2008-09-26 15:36:27 25,214 ----a-r C:\WINDOWS\Installer\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}\NewShortcut21_46A8469459EC48F0964C7E76E9F8A2ED.exe
    - 2008-05-10 01:16:25 53,248 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\ARPPRODUCTICON.exe
    + 2008-09-26 15:00:44 53,248 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\ARPPRODUCTICON.exe
    - 2008-05-10 01:16:25 53,248 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe2_8675339C128C44DD83BF0A5D6ABD8297.exe
    + 2008-09-26 15:00:44 53,248 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe2_8675339C128C44DD83BF0A5D6ABD8297.exe
    - 2008-05-10 01:16:25 49,152 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe3_8675339C128C44DD83BF0A5D6ABD8297.exe
    + 2008-09-26 15:00:44 49,152 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe3_8675339C128C44DD83BF0A5D6ABD8297.exe
    - 2004-08-04 04:56:44 423,936 -c--a-w C:\WINDOWS\system32\dllcache\licdll.dll
    + 2005-04-01 18:39:52 423,936 -c--a-w C:\WINDOWS\system32\dllcache\licdll.dll
    - 2007-11-07 09:26:56 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
    + 2007-11-07 09:50:47 727,040 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
    - 2004-08-04 04:56:58 502,272 -c--a-w C:\WINDOWS\system32\dllcache\winlogon.exe
    + 2005-04-01 18:19:51 502,784 -c--a-w C:\WINDOWS\system32\dllcache\winlogon.exe
    + 2008-05-14 10:51:16 19,496 ----a-w C:\WINDOWS\system32\drivers\ApsHM86.sys
    + 2008-05-14 10:51:16 114,728 ----a-w C:\WINDOWS\system32\drivers\ApsX86.sys
    - 2004-08-04 04:56:44 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
    + 2005-04-01 18:39:52 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
    - 2007-11-07 09:26:56 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
    + 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
    - 2005-11-04 06:50:00 61,440 ----a-w C:\WINDOWS\system32\Sensor.dll
    + 2008-05-14 10:51:14 20,256 ----a-w C:\WINDOWS\system32\Sensor.DLL
    - 2005-06-20 06:45:00 77,824 ----a-w C:\WINDOWS\system32\TPHDEXLG.exe
    + 2008-05-14 10:51:16 37,416 ----a-w C:\WINDOWS\system32\TPHDEXLG.exe
    - 2006-03-15 13:34:54 479,232 ----a-w C:\WINDOWS\system32\TpShCPL.dll
    + 2008-06-06 12:51:00 492,832 ----a-w C:\WINDOWS\system32\TpShCPL.dll
    + 2008-06-06 12:51:02 128,288 ----a-w C:\WINDOWS\system32\TpShEvUI.exe
    - 2006-03-15 13:34:48 106,496 ----a-w C:\WINDOWS\system32\TpShocks.exe
    + 2008-06-06 12:51:04 181,536 ----a-w C:\WINDOWS\system32\TpShocks.exe
    - 2004-08-04 04:56:58 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
    + 2005-04-01 18:19:51 502,784 ----a-w C:\WINDOWS\system32\winlogon.exe
    - 2008-09-25 18:03:41 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
    + 2008-09-27 17:52:13 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
    - 2008-09-25 18:01:49 632,560 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
    + 2008-09-27 17:56:43 640,008 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
    - 2008-09-22 17:27:48 14,240,256 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
    + 2008-09-27 17:55:16 14,241,792 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2006-06-02 36864]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-22 68856]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
    "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
    "TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
    "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 856064]
    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-01-21 135168]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-09 110592]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-09 512000]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2006-09-08 146944]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 131072]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 163840]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 135168]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-09 185896]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-10 981904]
    "TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
    "TpShocks"="TpShocks.exe" [2008-06-06 C:\WINDOWS\system32\TpShocks.exe]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-01 622653]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-05 24576]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
    Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"= 0 (0x0)
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-11-30 20:16 24576 C:\WINDOWS\system32\tphklock.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    --a------ 2006-06-15 12:36 229376 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-08-06 23:13 98304 C:\Program Files\QuickTime\qttask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-05-09 22:32 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2007-01-19 12:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "BMa728ef1d"=Rundll32.exe "C:\WINDOWS\system32\subbwyxv.dll",s
    "a41bdc81"=rundll32.exe "C:\WINDOWS\system32\agtwwggr.dll",b
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "21954:TCP"= 21954:TCP:BitComet 21954 TCP
    "21954:UDP"= 21954:UDP:BitComet 21954 UDP
    R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2008-05-14 114728]
    R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2008-05-14 19496]
    R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 14208]
    R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 11520]
    R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 2432]
    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-01-21 4442]
    R2 FLYCAM;FlyCam, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\flycam.sys [2006-01-12 705408]
    R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 6016]
    S2 CameraServer;CameraServer;c:\FlyCam\CameraServer.exe [ ]
    S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\Bhagwan\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [ ]
    S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 12288]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26fa9fe2-c9c7-11dc-90a0-00166f90eb62}]
    \Shell\Auto\command - MicrosoftPowerPoint.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b645eab-0f7b-11dc-8ecd-00166f90eb62}]
    \Shell\AutoRun\command - EXPLORER.EXE
    \Shell\explore\Command - EXPLORER.EXE
    \Shell\open\Command - EXPLORER.EXE
    *Newly Created Service* - THINKVANTAGE_REGISTRY_MONITOR_SERVICE
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Bhagwan\Application Data\Mozilla\Firefox\Profiles\i6cfkz79.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
    FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
    .
    **************************************************************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-27 23:30:20
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files:
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\tphklock.dll
    .
    Completion time: 2008-09-27 23:32:48
    ComboFix-quarantined-files.txt 2008-09-27 18:02:39
    ComboFix2.txt 2008-09-25 18:05:55
    Pre-Run: 1,803,489,280 bytes free
    Post-Run: 2,261,127,168 bytes free
    237 --- E O F --- 2008-09-27 17:42:39
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Please go to this site: http://virusscan.jotti.org/

    Use the Browse button at Jotti.
    Navigate to the file's location on your hard drive and submit it:
    C:\WINDOWS\system32\uDLlRXyb.ini2
    Let me know what it says regarding the file.
     
  11. sudeepji

    sudeepji Thread Starter

    Joined:
    Sep 24, 2008
    Messages:
    19
    There was no file under this name in the said folder... However there was a file in this path :

    C:\QooBox\Quarantine\C\WINDOWS\system32/uDLlRXyb.ini.vir

    I had it scanned on jotty ... and here is the result :

    File: uDLlRXyb.ini.vir Status: OK
    MD5: d7f1252bf30817ee42dc327e5bb6ca5f Packers detected: -
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Okay. How are things now? Can you post a new HJT log?
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You can delete the contents of this folder by the way: C:\QooBox\Quarantine
     
  14. sudeepji

    sudeepji Thread Starter

    Joined:
    Sep 24, 2008
    Messages:
    19
    Things are pretty fine now.. A big thanks to you bro.. !!!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:29:20 PM, on 9/29/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\WINDOWS\System32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    --
    End of file - 3605 bytes
     
  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Looks good :)

    Now turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer.

    Turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    You can mark your thread "Solved" from the Thread Tools drop down menu.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/753244

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice