1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Sulimo.dat & Generic.dx trojan problem

Discussion in 'Virus & Other Malware Removal' started by Scott Hattrup, Nov 11, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Scott Hattrup

    Scott Hattrup Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    9
    Hi,

    I'm running an IBM Thinkpad laptop with Windows XP Pro. I currently have McAfee running as the AV program, as well as SpyHunter 2.9 and Windows Defender. If you would like to suggest a better software protection package, feel free to do so. McAfee isn't doing much for me.

    Thanks in advance for any help. This morning when I rebooted my computer, McAfee Antivirus kept popping up a Trojan warning stating that C:\WINDOWS\System32\sulimo.dat had been infected by the Generic.dx trojan. The warning gave the option to delete or quarantine that program, or to resume what I was doing. Any option I pick results in a loop. If I try to delete the file, it reinstalls within a few seconds and pops up the same warning. If I try to quarantine the file, it comes back as in use, read only or restricted, and not able to be quarantined, and then I get the warning again. If I try doing nothing, McAfee asks me if I'm sure, and then pops the warning up again in about three seconds. Some of the other problems are that my control panel has disappeared, and I have a hard time pulling up the My Computer window to check files on the hard drive. It also keeps me from running Internet Explorer, thus preventing access to the internet.

    I ran a google search for cures to this problem and found your site. So far I have been able to download FixWareout and saved the log on reboot. I was also able to briefly access the Internet after repeatedly booting into safe mode, having to shut down, and then restarting the computer. During one of those times online, I was able to download HijackThis and ran a system scan and log. I checked the log entry that mentioned sulimo.dat, which read "020 AppInit_DLLs: C:\Windows\system32\sulimo.dat." I then ran the fix option and selected the delete file after reboot option for sulimo.dat.

    The problem seems to have been alleviated, but not entirely. I was able to restart the computer after a couple tries, and it will apparently start IE and access the net now, but I'm hoping to get rid of this thing for good.

    Please let me know if you need me to post the logs I have taken, take new logs and post them, or what additional steps I can take to get rid of this pesky thing. The endless loop rendering my computer unusable makes me want to track down the trojan author and sit him down at my computer with a bat to his head. Every pass through after the first one, or repeat occurrence of the loop should result in one swing of the bat against his head. If he can fix the problem quickly, the bat will not swing. If not, well, no more viruses from that source. That's just a fantasy, but I really would like to solve this problem permanently. Please help!

    Thanks.
    Scott
     
  2. Scott Hattrup

    Scott Hattrup Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    9
    Log regarding this problem:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:36:04 PM, on 11/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\McAfee\MWL\MwlSvc.exe
    c:\program files\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\Program Files\Common Files\AOL\1189196369\ee\AOLSoftware.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\McAfee\MWL\MwlGui.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    C:\Program Files\McAfee.com\Personal Firewall\MpfWizard.exe
    C:\Program Files\McAfee.com\Personal Firewall\MpfWizard.exe
    C:\Program Files\McAfee.com\Personal Firewall\MpfWizard.exe
    C:\Program Files\McAfee.com\Personal Firewall\MpfWizard.exe
    C:\Program Files\McAfee.com\Personal Firewall\MpfWizard.exe
    C:\Program Files\McAfee.com\Personal Firewall\MpfWizard.exe
    C:\WINDOWS\system32\wuauclt.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    c:\program files\mcafee.com\vso\mcvsmap.exe
    C:\WINDOWS\system32\wuauclt.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Documents and Settings\Marge\Desktop\HJTInstall.exe
    C:\Documents and Settings\Marge\Desktop\HiJackThis.exe
    C:\WINDOWS\system32\TASKMAN.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    F2 - REG:system.ini: Shell=
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189196369\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\McAfee\MWL\MwlGui.exe /Start
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
    O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee Wireless Security Service (MwlSvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MWL\MwlSvc.exe
    O23 - Service: Pantech&Curitel Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 10818 bytes
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!

    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  4. Scott Hattrup

    Scott Hattrup Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    9
    ComboFix 07-11-19.3 - Marge 2007-11-22 2:27:27.1 - NTFSx86
    Running from: C:\Documents and Settings\Marge\Local Settings\Temporary Internet Files\Content.IE5\NOKAURX9\ComboFix[1].exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\dat.txt
    C:\WINDOWS\rs.txt
    C:\WINDOWS\search_res.txt
    C:\WINDOWS\xlavba6.exe
    C:\WINDOWS\xlavra3.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
    .

    2007-11-21 00:09 <DIR> C:\WINDOWS\LastGood.Tmp
    2007-11-10 21:31 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-10 13:55 <DIR> d-------- C:\Documents and Settings\Marge\Application Data\InterVideo
    2007-11-10 13:27 14 --a------ C:\WINDOWS\system32\MPFServiceFailureCount.txt
    2007-10-22 16:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-10 19:51 --------- d-----w C:\Documents and Settings\Marge\Application Data\McAfee.com Personal Firewall
    2007-10-30 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
    2007-10-22 22:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
    2007-10-22 03:50 --------- d-----w C:\Program Files\Windows Defender
    2007-10-21 02:07 --------- d-----w C:\Program Files\Enigma Software Group
    2007-10-19 16:59 --------- d-----w C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
    2007-10-19 16:58 --------- d-----w C:\Program Files\McAfee.com
    2007-10-19 16:55 --------- d-----w C:\Program Files\Common Files\AOL
    2007-10-19 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
    2007-10-19 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
    2007-10-19 16:36 --------- d-----w C:\Program Files\McAfee
    2007-10-19 16:36 --------- d-----w C:\Documents and Settings\Marge\Application Data\McAfee
    2007-10-19 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
    2007-10-19 15:49 99,032 ----a-w C:\WINDOWS\system32\trust.dll
    2007-10-19 15:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-09-07 03:06 109,568 ------w C:\WINDOWS\system32\pxinsi64.exe
    2007-09-07 03:06 108,544 ------w C:\WINDOWS\system32\pxcpyi64.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 03:10]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 12:17]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 12:17]
    "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 19:39]
    "TpShocks"="TpShocks.exe" [2005-04-05 16:14 C:\WINDOWS\system32\TpShocks.exe]
    "TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 13:43]
    "TP4EX"="tp4ex.exe" [2004-11-12 02:07 C:\WINDOWS\system32\TP4EX.exe]
    "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 03:11]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11]
    "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-10 22:05]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 02:05]
    "ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 03:10]
    "IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-27 10:53]
    "QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 04:07]
    "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 04:07]
    "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-13 02:01]
    "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-13 02:01]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-07-10 23:13]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-10 23:13]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 06:55]
    "HostManager"="C:\Program Files\Common Files\AOL\1189196369\ee\AOLSoftware.exe" [2007-04-12 15:23]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-06-25 18:32]
    "VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
    "VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
    "OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
    "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29]
    "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 11:05]
    "MWLExe"="C:\PROGRA~1\McAfee\MWL\MwlGui.exe" [2006-11-17 18:04]
    "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 16:00]
    "SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 18:03]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-08 14:41:16]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    QConGina.dll 2005-03-18 04:07 262144 C:\WINDOWS\system32\QConGina.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    tphklock.dll 2004-08-12 21:11 24576 C:\WINDOWS\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"= scecli pwdmon

    R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys
    R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys
    R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS
    R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS
    R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys
    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys
    R2 ibmfilter;ibmfilter;\??\C:\WINDOWS\system32\drivers\ibmfilter.sys
    R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys
    R3 TPM11;NSC Integrated Trusted Platform Module 1.1;C:\WINDOWS\system32\DRIVERS\nsctpm11.sys
    S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys
    S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys
    S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys
    S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys
    S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys
    S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6f322a0-2f48-11dc-8169-00166f782360}]
    \Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-22 08:03:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    "2007-11-22 08:32:22 C:\WINDOWS\Tasks\PMTask.job"
    - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-22 02:32:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-22 2:34:38 - machine was rebooted
    .
    --- E O F ---
     
  5. Scott Hattrup

    Scott Hattrup Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    9
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:43:19 AM, on 11/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\Program Files\Common Files\AOL\1189196369\ee\AOLSoftware.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee\MWL\MwlGui.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\PROGRA~1\McAfee\MWL\MwlSvc.exe
    C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Documents and Settings\Marge\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189196369\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\McAfee\MWL\MwlGui.exe /Start
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
    O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee Wireless Security Service (MwlSvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MWL\MwlSvc.exe
    O23 - Service: Pantech&Curitel Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9901 bytes
     
  6. Scott Hattrup

    Scott Hattrup Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    9
    Another remaining issue I am still having is that the viruses or trojans have changed my stand alone system to an administratively restricted system. The Control Panel button in the Start menu is gon and replaced with the Set Program Access and Defaults button. I have also been intermittently unable to pull up the Windows Task Manager, and get a message that the system administrator has disabled that function. Please let me know what I need to do to restore these two functions in particular, as well as reversing any other common changes these trojan types typically make. Thanks much for your help so far.
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • Open the c:\SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
     
  8. Scott Hattrup

    Scott Hattrup Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    9
    Thanks for the fast follow up on the logs with another fix. Will that also take care of my other really annoying problem? Internet Explorer seems to be frequently blocked from connecting to the Internet. It will sometimes connect, but will frequently go into Working Offline mode. Hitting the button to reconnect does not work very often. I usually connect through a wireless router. I have powered off and restarted both the router and the cable modem, have taken the computer to another location to connect through a different router, and have tried to connect through my broadband card. Other Internet accessing programs such as AOL have no problem connecting in any of these places, but IE has apparently been altered by the viruses. I will likely have to download SDFix through the AOL software because of this other issue. Thanks.
     
  9. Scott Hattrup

    Scott Hattrup Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    9
    SDFix: Version 1.115

    Run by Marge on Thu 11/22/2007 at 11:21 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    No Trojan Files Found





    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-22 23:27:19
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    "MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe"

    scanning hidden files ...

    C:\WINDOWS\TEMP\TMP000000180CA483221B417096

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 1


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    Remaining Files:
    ---------------


    Files with Hidden Attributes:

    Wed 24 Sep 2003 49,238 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
    Wed 24 Sep 2003 36,954 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
    Wed 24 Sep 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
    Fri 23 Feb 2007 225,380 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
    Wed 6 Jun 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0\AOLphx.exe"
    Wed 6 Jun 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0\AOLphxex.exe"
    Wed 6 Jun 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0\rbm.exe"
    Wed 29 Dec 2004 233,554 A..H. --- "C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP88\A0008054.exe"
    Sat 15 Sep 2007 96,072 ...H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"

    Finished!
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    How is it running now? Any problems?
     
  11. Scott Hattrup

    Scott Hattrup Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    9
    Seems to be running okay. The Control Panel button is back, and IE is no longer disconnecting from the Internet. McAfee found a couple items in the registry after the system was back up and deleted them. Prior to your fixes, McAfee was unable to fix anything on its own. I suspect those items were just artifacts of the virus. Two questions:

    Do I need to run HijackThis to get a log and see if anything else is floating around the system?

    Would you suggest an AV program(s) that would prevent stuff like this in the future? I'm not really thrilled with McAfee's lack of success here. Thanks.
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Yes, please post a new hijackthis log.

    McAfee is not any better or any worse than other AV programs. They all have a hard time keeping updated with the latest threats. You can find other AV programs suggested here: Security Help Tools


    You can and should remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

    OTMoveIt by OldTimer has a CleanUp! option you can use to remove most of the fixes and associated files and folders if you want to use that. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.


    It's a good idea to Flush your System Restore after removing malware:
    Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405



    Clean up your PC


    Here are some additional links for you to check out to help you with your computer security.

    How did I get infected in the first place.

    Secunia software inspector & update checker

    Good free tools and advice on how to tighten your security settings.



    You're welcome!
     
  13. Scott Hattrup

    Scott Hattrup Thread Starter

    Joined:
    Nov 10, 2007
    Messages:
    9
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:41:06 PM, on 11/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\PROGRA~1\McAfee\MWL\MwlSvc.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\Program Files\Common Files\AOL\1189196369\ee\AOLSoftware.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee\MWL\MwlGui.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AOL 9.0\waol.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\AOL 9.0\shellmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189196369\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\McAfee\MWL\MwlGui.exe /Start
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee Wireless Security Service (MwlSvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MWL\MwlSvc.exe
    O23 - Service: Pantech&Curitel Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 10674 bytes
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Looks fine. (y)
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/650462

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice