Solved: Hope to get Help here... Trojan Problem

sudeepji · Sep 25, 2008

Hi,

I believe finally I got a site which would help me solving my problem. Seems to be a great site.. Thanks all techie guys here...

Well my problem is that my lappi suffered from virtumunde trojan last week.. I have zonealarm which is updated regularly, but it was not detecting this trojan.. My internet explorer was running very slowly and opening unwanted sites.. Scanned my system with spyware doctor, Normal Malware, vundofix (Also in safe mode)... I was able to clean this virtumunde (I believe so, because spyware doctor no more finding it now)

opening of unwanted sites was stopped... But I am still facing a problem of interent explorer slowing down while opening some sites... doesnt work for gmail, google search, yahoo mail, naukri, etc etc... I am really bugged up... Then I tried bhodamon and disable all the add ons... even Firefox has same problem... But unable to solve my problem... Kindly help me guys....

God Bless You All ...

Here is the hijack log :
--------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:54 PM, on 9/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (disabled by BHODemon)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMa728ef1d] Rundll32.exe "C:\WINDOWS\system32\subbwyxv.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [each default] C:\DOCUME~1\Bhagwan\APPLIC~1\FIVEDU~1\Junk tool stop.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163697208468
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqRJBTJB - rqRJBTJB.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11279 bytes

sudeepji · Sep 25, 2008

Anybody ??

Cheeseball81 · Sep 25, 2008

Hi and welcome

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

...

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

sudeepji · Sep 25, 2008

Hey Thanks Buddy, I did exactly what you told.. Here is the combofix report alongwith hijackthis report afterwards. Kindly review...

ComboFix 08-09-25.03 - Bhagwan 2008-09-25 23:26:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.202 [GMT 5.5:30]
Running from: C:\Documents and Settings\Bhagwan\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Bhagwan\Local Settings\Temporary Internet Files\SuggestedSites.dat
C:\WINDOWS\BMa728ef1d.txt
C:\WINDOWS\BMa728ef1d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bdkeibjj.ini
C:\WINDOWS\system32\ffxvbmgn.ini
C:\WINDOWS\system32\fnvcqlpt.ini
C:\WINDOWS\system32\gqnkfpst.ini
C:\WINDOWS\system32\kijljhyn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\rggwwtga.ini
C:\WINDOWS\system32\uDLlRXyb.ini
C:\WINDOWS\system32\ypbvltbr.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_POWERMANAGER

((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.
2008-09-24 22:40 . 2008-09-24 22:41 <DIR> d-------- C:\Program Files\SpyNoMore
2008-09-22 22:49 . 2008-09-22 22:49 <DIR> d-------- C:\VundoFix Backups
2008-09-21 13:59 . 2008-09-21 13:59 <DIR> d--hs---- C:\Documents and Settings\Bhagwan\PrivacIE
2008-09-21 13:42 . 2006-10-17 13:06 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
2008-09-21 13:42 . 2006-10-17 13:06 78,336 --a------ C:\WINDOWS\system32\dllcache\ieencode.dll
2008-09-21 09:58 . 2008-09-25 21:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-20 22:06 . 2008-09-20 22:06 114,688 --a------ C:\WINDOWS\system32\gkyfvmxn.dll
2008-09-19 22:12 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-19 22:12 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-19 22:12 . 2008-09-19 22:21 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-19 22:12 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-19 22:11 . 2008-09-20 18:44 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-19 22:11 . 2008-09-19 22:11 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\PC Tools
2008-09-19 21:45 . 2008-09-19 21:45 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\Uniblue
2008-09-19 21:44 . 2008-09-19 21:44 <DIR> d-------- C:\Program Files\Uniblue
2008-09-18 22:21 . 2008-09-18 22:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-18 22:19 . 2008-09-18 22:43 <DIR> d-------- C:\Documents and Settings\Bhagwan\.housecall6.6
2008-09-18 21:33 . 2008-09-18 21:33 89,600 --a------ C:\WINDOWS\system32\agtwwggr.dll
2008-09-18 21:31 . 2008-09-18 21:31 112,640 --a------ C:\WINDOWS\system32\odcshpmt.dll
2008-09-18 21:31 . 2008-09-18 21:31 112,640 --a------ C:\WINDOWS\system32\kxbhur.dll
2008-09-16 21:35 . 2008-09-16 21:35 112,128 --a------ C:\WINDOWS\system32\xtvapr.dll
2008-09-16 21:35 . 2008-09-16 21:35 112,128 --a------ C:\WINDOWS\system32\hdsurtcy.dll
2008-09-15 20:05 . 2008-09-15 20:05 112,128 --a------ C:\WINDOWS\system32\etwlhz.dll
2008-09-15 20:05 . 2008-09-15 20:05 112,128 --a------ C:\WINDOWS\system32\cvhboxjs.dll
2008-09-14 22:22 . 2008-09-14 22:22 111,616 --a------ C:\WINDOWS\system32\zifbyl.dll
2008-09-14 22:21 . 2008-09-14 22:22 111,616 --a------ C:\WINDOWS\system32\agsqrpwh.dll
2008-09-14 22:18 . 2008-09-20 22:30 381,920 --ahs---- C:\WINDOWS\system32\uDLlRXyb.ini2
2008-09-14 22:18 . 2008-09-14 22:19 99,328 --------- C:\WINDOWS\system32\subbwyxv.dll
2008-09-14 21:59 . 2008-09-14 21:59 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\MailFrontier
2008-09-14 21:58 . 2008-09-25 23:34 112,732,960 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-14 21:58 . 2008-09-25 23:30 1,511,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-14 21:53 . 2008-09-14 21:53 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-14 21:53 . 2008-08-10 21:42 1,221,008 --a------ C:\WINDOWS\system32\zpeng25.dll
2008-09-14 21:53 . 2008-08-10 21:42 72,592 --a------ C:\WINDOWS\zllsputility.exe
2008-09-14 21:52 . 2008-09-25 23:32 349,222 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-09-14 14:13 . 2008-09-14 14:13 <DIR> d-------- C:\Program Files\Unlocker
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-25 17:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-21 09:48 --------- d-----w C:\Program Files\Google
2008-09-20 19:12 --------- d-----w C:\Program Files\Folder Lock
2008-09-20 19:07 --------- d-----w C:\Program Files\BitTorrent
2008-09-20 15:08 --------- d-----w C:\Documents and Settings\Bhagwan\Application Data\BitTorrent
2008-09-15 12:35 1,229,312 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-09-14 09:24 60,416 ----a-w C:\WINDOWS\system32\rbap350.dll
2008-09-14 09:24 54,784 ----a-w C:\WINDOWS\system32\RBQT350.DLL
2008-09-11 14:50 60,416 ----a-w C:\WINDOWS\rbap350.dll
2008-09-11 14:50 54,784 ----a-w C:\WINDOWS\RBQT350.DLL
2008-08-31 15:20 --------- d-----w C:\Program Files\Java
2008-08-05 12:25 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-08-01 15:36 --------- d-----w C:\Program Files\Sun
2008-07-18 16:40 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 16:39 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 16:37 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 16:37 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 02:19 16,234,924 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
1998-12-08 21:23 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 21:23 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 21:23 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 21:23 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 21:23 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 21:23 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2006-06-02 36864]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-22 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 856064]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-01-21 135168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-09 512000]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2006-09-08 146944]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 135168]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-09 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-10 981904]
"BMa728ef1d"="C:\WINDOWS\system32\subbwyxv.dll" [2008-09-14 99328]
"TpShocks"="TpShocks.exe" [2006-03-15 C:\WINDOWS\system32\TpShocks.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-01 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-05 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 20:16 24576 C:\WINDOWS\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-08-06 23:13 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-09 22:32 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 12:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"BMa728ef1d"=Rundll32.exe "C:\WINDOWS\system32\subbwyxv.dll",s
"a41bdc81"=rundll32.exe "C:\WINDOWS\system32\agtwwggr.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21954:TCP"= 21954:TCP:BitComet 21954 TCP
"21954:UDP"= 21954:UDP:BitComet 21954 UDP
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2006-03-15 88576]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 14208]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 11520]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 2432]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 4736]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-01-21 4442]
R2 FLYCAM;FlyCam, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\flycam.sys [2006-01-12 705408]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 6016]
S2 CameraServer;CameraServer;c:\FlyCam\CameraServer.exe [ ]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\Bhagwan\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [ ]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 12288]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26fa9fe2-c9c7-11dc-90a0-00166f90eb62}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b645eab-0f7b-11dc-8ecd-00166f90eb62}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-each default - C:\DOCUME~1\Bhagwan\APPLIC~1\FIVEDU~1\Junk tool stop.exe
HKLM-Run-osCheck - C:\Program Files\Norton Internet Security\osCheck.exe
ShellExecuteHooks-{9E563692-6E8F-4DB6-BA56-42EF3BA3F84F} - (no file)
Notify-rqRJBTJB - rqRJBTJB.dll
MSConfigStartUp-ICQ Lite - C:\Program Files\ICQLite\ICQLite.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bhagwan\Application Data\Mozilla\Firefox\Profiles\i6cfkz79.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 23:33:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\subbwyxv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-25 23:35:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 18:05:39
Pre-Run: 1,776,345,088 bytes free
Post-Run: 2,587,348,992 bytes free
261 --- E O F --- 2008-09-11 17:36:44

##################################################

Hijackthis report :-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:14 PM, on 9/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BMa728ef1d] Rundll32.exe "C:\WINDOWS\system32\subbwyxv.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163697208468
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9520 bytes

Cheeseball81 · Sep 25, 2008

Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2

Make sure you are connected to the Internet.

Double-click on Download_mbam-setup.exe to install the application.

When the installation begins, follow the prompts and do not make any changes to default settings.

When installation has finished, make sure you leave both of these checked:

Update Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.

Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

Make sure that everything is checked, and click Remove Selected.

When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Copy and paste the contents of that report in your next reply with a new hijackthis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

sudeepji · Sep 26, 2008

Hey Cheeseball,

Thanks a lot buddy... I did what you told... here is the mbam report file along with hijack log below. Please review...

-----------------------

Malwarebytes' Anti-Malware 1.28
Database version: 1209
Windows 5.1.2600 Service Pack 2
9/26/2008 6:58:29 PM
mbam-log-2008-09-26 (18-58-29).txt
Scan type: Quick Scan
Objects scanned: 59484
Time elapsed: 22 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 35
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\subbwyxv.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bma728ef1d (Trojan.Vundo) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\subbwyxv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gkyfvmxn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cvhboxjs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\etwlhz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hdsurtcy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odcshpmt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\agsqrpwh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\agtwwggr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kxbhur.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xtvapr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zifbyl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMa728ef1d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMa728ef1d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_114_Sudha_7D.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_115.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_116.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_117.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\HospitalProjectModel_119.xls (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\IHC_PPM (LLC Company) AM Comments (clean) (2).doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\~WRD2422.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\dd_netfx20MSI5668.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\dd_netfx20UI5668.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\buildabear2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\carlsjrburger.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\football2006.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\grudge2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\mandmsdark.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\nordstrom5.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\poptartsotc.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\tampax.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\vwchocolate.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\wellsfargo2.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Local Settings\Temp\ysmash.bmp (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\sudeep\Desktop\sudha.txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.

---------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:01 PM, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163697208468
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10045 bytes

sudeepji · Sep 26, 2008

Well I think the my problem is solved now... IE is working very well..

Thanks a lot for this support bro... Kindly review if everything all right.

Cheeseball81 · Sep 26, 2008

You're welcome

I would still like to see one last log from ComboFix. I think MBAM got rid of most of the leftovers.

sudeepji · Sep 27, 2008

Cheeseball81 said: ↑

You're welcome

I would still like to see one last log from ComboFix. I think MBAM got rid of most of the leftovers.
Click to expand...

Thanks Buddy... Here is the combofix log.. kindly review :

ComboFix 08-09-26.06 - Bhagwan 2008-09-27 23:24:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.72 [GMT 5.5:30]
Running from: C:\Documents and Settings\Bhagwan\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.
2008-09-26 20:30 . 2008-09-26 20:30 <DIR> d-------- C:\Program Files\Common Files\Lenovo
2008-09-26 18:28 . 2008-09-26 18:28 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\Malwarebytes
2008-09-26 18:28 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-26 18:27 . 2008-09-26 18:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 18:27 . 2008-09-26 18:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-26 18:27 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-24 22:40 . 2008-09-24 22:41 <DIR> d-------- C:\Program Files\SpyNoMore
2008-09-22 22:49 . 2008-09-22 22:49 <DIR> d-------- C:\VundoFix Backups
2008-09-21 13:59 . 2008-09-21 13:59 <DIR> d--hs---- C:\Documents and Settings\Bhagwan\PrivacIE
2008-09-21 13:42 . 2006-10-17 13:06 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
2008-09-21 13:42 . 2006-10-17 13:06 78,336 --a------ C:\WINDOWS\system32\dllcache\ieencode.dll
2008-09-21 09:58 . 2008-09-27 23:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-19 22:12 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-19 22:12 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-19 22:12 . 2008-09-19 22:21 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-19 22:12 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-19 22:11 . 2008-09-20 18:44 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-19 22:11 . 2008-09-19 22:11 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\PC Tools
2008-09-19 21:45 . 2008-09-19 21:45 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\Uniblue
2008-09-19 21:44 . 2008-09-19 21:44 <DIR> d-------- C:\Program Files\Uniblue
2008-09-18 22:21 . 2008-09-18 22:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-18 22:19 . 2008-09-18 22:43 <DIR> d-------- C:\Documents and Settings\Bhagwan\.housecall6.6
2008-09-14 22:18 . 2008-09-20 22:30 381,920 --ahs---- C:\WINDOWS\system32\uDLlRXyb.ini2
2008-09-14 21:59 . 2008-09-14 21:59 <DIR> d-------- C:\Documents and Settings\Bhagwan\Application Data\MailFrontier
2008-09-14 21:58 . 2008-09-27 23:30 120,318,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-14 21:58 . 2008-09-26 22:56 1,567,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-14 21:53 . 2008-09-14 21:53 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-14 21:53 . 2008-08-10 21:42 1,221,008 --a------ C:\WINDOWS\system32\zpeng25.dll
2008-09-14 21:53 . 2008-08-10 21:42 72,592 --a------ C:\WINDOWS\zllsputility.exe
2008-09-14 21:52 . 2008-09-27 23:04 349,222 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-09-14 14:13 . 2008-09-14 14:13 <DIR> d-------- C:\Program Files\Unlocker
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 17:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-26 15:00 --------- d-----w C:\Program Files\Lenovo
2008-09-21 09:48 --------- d-----w C:\Program Files\Google
2008-09-20 19:12 --------- d-----w C:\Program Files\Folder Lock
2008-09-20 19:07 --------- d-----w C:\Program Files\BitTorrent
2008-09-20 15:08 --------- d-----w C:\Documents and Settings\Bhagwan\Application Data\BitTorrent
2008-09-15 12:35 1,229,312 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-09-11 14:50 60,416 ----a-w C:\WINDOWS\rbap350.dll
2008-09-11 14:50 54,784 ----a-w C:\WINDOWS\RBQT350.DLL
2008-08-31 15:20 --------- d-----w C:\Program Files\Java
2008-08-01 15:36 --------- d-----w C:\Program Files\Sun
2008-07-01 02:19 16,234,924 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
1998-12-08 21:23 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 21:23 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 21:23 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 21:23 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 21:23 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 21:23 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( [email protected]_23.34.54.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-08-17 12:28:27 721,920 -c----w C:\WINDOWS\$NtUninstallKB943485$\lsasrv.dll
+ 2006-08-17 12:28:27 721,920 -c----w C:\WINDOWS\$NtUninstallKB943485_0$\lsasrv.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\$NtUninstallKB943485_0$\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\$NtUninstallKB943485_0$\spuninst\updspapi.dll
+ 2008-09-26 15:36:27 25,214 ----a-r C:\WINDOWS\Installer\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}\ARPPRODUCTICON.exe
+ 2008-09-26 15:36:27 25,214 ----a-r C:\WINDOWS\Installer\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}\NewShortcut21_46A8469459EC48F0964C7E76E9F8A2ED.exe
- 2008-05-10 01:16:25 53,248 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\ARPPRODUCTICON.exe
+ 2008-09-26 15:00:44 53,248 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\ARPPRODUCTICON.exe
- 2008-05-10 01:16:25 53,248 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe2_8675339C128C44DD83BF0A5D6ABD8297.exe
+ 2008-09-26 15:00:44 53,248 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe2_8675339C128C44DD83BF0A5D6ABD8297.exe
- 2008-05-10 01:16:25 49,152 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe3_8675339C128C44DD83BF0A5D6ABD8297.exe
+ 2008-09-26 15:00:44 49,152 ----a-r C:\WINDOWS\Installer\{8675339C-128C-44DD-83BF-0A5D6ABD8297}\tvsu.exe3_8675339C128C44DD83BF0A5D6ABD8297.exe
- 2004-08-04 04:56:44 423,936 -c--a-w C:\WINDOWS\system32\dllcache\licdll.dll
+ 2005-04-01 18:39:52 423,936 -c--a-w C:\WINDOWS\system32\dllcache\licdll.dll
- 2007-11-07 09:26:56 721,920 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:50:47 727,040 -c--a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2004-08-04 04:56:58 502,272 -c--a-w C:\WINDOWS\system32\dllcache\winlogon.exe
+ 2005-04-01 18:19:51 502,784 -c--a-w C:\WINDOWS\system32\dllcache\winlogon.exe
+ 2008-05-14 10:51:16 19,496 ----a-w C:\WINDOWS\system32\drivers\ApsHM86.sys
+ 2008-05-14 10:51:16 114,728 ----a-w C:\WINDOWS\system32\drivers\ApsX86.sys
- 2004-08-04 04:56:44 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
+ 2005-04-01 18:39:52 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
- 2007-11-07 09:26:56 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
- 2005-11-04 06:50:00 61,440 ----a-w C:\WINDOWS\system32\Sensor.dll
+ 2008-05-14 10:51:14 20,256 ----a-w C:\WINDOWS\system32\Sensor.DLL
- 2005-06-20 06:45:00 77,824 ----a-w C:\WINDOWS\system32\TPHDEXLG.exe
+ 2008-05-14 10:51:16 37,416 ----a-w C:\WINDOWS\system32\TPHDEXLG.exe
- 2006-03-15 13:34:54 479,232 ----a-w C:\WINDOWS\system32\TpShCPL.dll
+ 2008-06-06 12:51:00 492,832 ----a-w C:\WINDOWS\system32\TpShCPL.dll
+ 2008-06-06 12:51:02 128,288 ----a-w C:\WINDOWS\system32\TpShEvUI.exe
- 2006-03-15 13:34:48 106,496 ----a-w C:\WINDOWS\system32\TpShocks.exe
+ 2008-06-06 12:51:04 181,536 ----a-w C:\WINDOWS\system32\TpShocks.exe
- 2004-08-04 04:56:58 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
+ 2005-04-01 18:19:51 502,784 ----a-w C:\WINDOWS\system32\winlogon.exe
- 2008-09-25 18:03:41 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
+ 2008-09-27 17:52:13 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
- 2008-09-25 18:01:49 632,560 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-09-27 17:56:43 640,008 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-09-22 17:27:48 14,240,256 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-09-27 17:55:16 14,241,792 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [2006-06-02 36864]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-22 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-02 856064]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-01-21 135168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-09 512000]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2006-09-08 146944]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 135168]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-09 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-10 981904]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TpShocks"="TpShocks.exe" [2008-06-06 C:\WINDOWS\system32\TpShocks.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-01 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-05 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 23:45 28672 C:\WINDOWS\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 20:16 24576 C:\WINDOWS\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-08-06 23:13 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-09 22:32 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 12:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"BMa728ef1d"=Rundll32.exe "C:\WINDOWS\system32\subbwyxv.dll",s
"a41bdc81"=rundll32.exe "C:\WINDOWS\system32\agtwwggr.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21954:TCP"= 21954:TCP:BitComet 21954 TCP
"21954:UDP"= 21954:UDP:BitComet 21954 UDP
R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2008-05-14 19496]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 14208]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 11520]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 2432]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-01-21 4442]
R2 FLYCAM;FlyCam, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\flycam.sys [2006-01-12 705408]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 6016]
S2 CameraServer;CameraServer;c:\FlyCam\CameraServer.exe [ ]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\Bhagwan\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [ ]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 12288]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26fa9fe2-c9c7-11dc-90a0-00166f90eb62}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b645eab-0f7b-11dc-8ecd-00166f90eb62}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
*Newly Created Service* - THINKVANTAGE_REGISTRY_MONITOR_SERVICE
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bhagwan\Application Data\Mozilla\Firefox\Profiles\i6cfkz79.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 23:30:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-09-27 23:32:48
ComboFix-quarantined-files.txt 2008-09-27 18:02:39
ComboFix2.txt 2008-09-25 18:05:55
Pre-Run: 1,803,489,280 bytes free
Post-Run: 2,261,127,168 bytes free
237 --- E O F --- 2008-09-27 17:42:39

Cheeseball81 · Sep 27, 2008

Please go to this site: http://virusscan.jotti.org/

Use the Browse button at Jotti.
Navigate to the file's location on your hard drive and submit it:
C:\WINDOWS\system32\uDLlRXyb.ini2
Let me know what it says regarding the file.

sudeepji · Sep 28, 2008

There was no file under this name in the said folder... However there was a file in this path :

C:\QooBox\Quarantine\C\WINDOWS\system32/uDLlRXyb.ini.vir

I had it scanned on jotty ... and here is the result :

File: uDLlRXyb.ini.vir Status: OK
MD5: d7f1252bf30817ee42dc327e5bb6ca5f Packers detected: -

Cheeseball81 · Sep 28, 2008

Okay. How are things now? Can you post a new HJT log?

Cheeseball81 · Sep 28, 2008

You can delete the contents of this folder by the way: C:\QooBox\Quarantine

sudeepji · Sep 29, 2008

Cheeseball81 said: ↑

Okay. How are things now? Can you post a new HJT log?
Click to expand...

Things are pretty fine now.. A big thanks to you bro.. !!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:20 PM, on 9/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 3605 bytes

Cheeseball81 · Sep 29, 2008

Looks good

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

You can mark your thread "Solved" from the Thread Tools drop down menu.

Log in or Sign up

Solved: Hope to get Help here... Trojan Problem

sudeepji Thread Starter

sudeepji Thread Starter

Cheeseball81 Retired Moderator

sudeepji Thread Starter

Cheeseball81 Retired Moderator

sudeepji Thread Starter

sudeepji Thread Starter

Cheeseball81 Retired Moderator

sudeepji Thread Starter

Cheeseball81 Retired Moderator

sudeepji Thread Starter

Cheeseball81 Retired Moderator

Cheeseball81 Retired Moderator

sudeepji Thread Starter

Cheeseball81 Retired Moderator

Sponsor

Welcome to Tech Support Guy!

Log in or Sign up

Solved: Hope to get Help here... Trojan Problem

sudeepji Thread Starter

sudeepji Thread Starter

Cheeseball81 Retired Moderator

sudeepji Thread Starter

Cheeseball81 Retired Moderator

sudeepji Thread Starter

sudeepji Thread Starter

Cheeseball81 Retired Moderator

sudeepji Thread Starter

Cheeseball81 Retired Moderator

sudeepji Thread Starter

Cheeseball81 Retired Moderator

Cheeseball81 Retired Moderator

sudeepji Thread Starter

Cheeseball81 Retired Moderator

Sponsor

Welcome to Tech Support Guy!

Useful Searches