Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security Cleanup » [Virus] Sending Spam
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean Rules ·Site IMs ·VundoFix ·Zlob/Smitfraud ·MonaRonaDona
TrojanDownloader:Win32/renos.dz »
AuthorAll Replies


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA

1 edit		reply to Superman1234
Re: [Virus] Sending Spam

Hi Superman1234

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:

To deactivate Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".

You can reenable it once your system is clean.

Clean your Cache and Cookies in IE:
-Close all instances of Outlook Express and Internet Explorer
-Go to Control Panel > Internet Options > General tab
-Click the "Delete Cookies" button
-Next to it, Click the "Delete Files" button
-When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Private Data).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
-Go to start > run and type: cleanmgr and click ok.
-Let it scan your system for files to remove.
-Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
-Press OK to remove them.

Download HostsXpert from here:
Extract the file HostsXpert.exe to your Desktop and run it.
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.

Please Run Malwarebytes' Anti-Malware.
- Click the Update tab.
- Click Check for Updates.
- If an update is found, it will download and install.
- Click the Scanner tab.
- Select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O4 - HKLM\..\Run: [lphcc1sj0ec2p] C:\WINDOWS\system32\lphcc1sj0ec2p.exe
O20 - AppInit_DLLs: ,C:\WINDOWS\system32\romonata.dll c:\windows\system32\ruhirowa.dll

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Using Windows Explorer, locate the following files, and delete them (if still there):
C:\WINDOWS\system32\lphcc1sj0ec2p.exe
C:\WINDOWS\system32\romonata.dll
c:\windows\system32\ruhirowa.dll

Download ComboFix© by sUBs from one of these locations:


* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix

- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.

- Double click on ComboFix.exe & follow the prompts.

- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Please post a new HijackThis log, the log from MBAM (if the log is clean, please post the previous log and let me know you did so), the log from ComboFix (combofix.txt), and note any errors encountered.

--
Proud ASAP member since 2005
to forum · permalink · · 2009-05-30 21:24:29 · Reply to this


Superman1234

@verizon.net

 Ok, done.

Problems encountered: FF and Chrome failed to connect (I'm assuming because of the virus). I actually had to delete IE and use an older version to connect.

And again, once the network got running the spam started running through, so I shut down ccApp to stop the popups.

MBAM LOG:
Malwarebytes' Anti-Malware 1.37
Database version: 2196
Windows 5.1.2600 Service Pack 2

5/30/2009 11:23:59 PM
mbam-log-2009-05-30 (23-23-59).txt

Scan type: Quick Scan
Objects scanned: 89043
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

COMBO FIX LOG:
ComboFix 09-05-30.03 - ATL 05/30/2009 23:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.528 [GMT -7:00]
Running from: c:\documents and settings\ATL\Desktop\pppp.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\ledahili.dll
c:\windows\system32\rayizanu.exe
c:\windows\system32\rezizoto.exe
c:\windows\system32\roruhore.exe
c:\windows\system32\ukudemeb.ini
c:\windows\system32\vakakayu.exe
c:\windows\system32\yedobivi.dll
c:\windows\system32\zirukeka.dll

----- BITS: Possible infected sites -----

hxxp://62.4.83.201
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 06:38 . 2009-05-31 06:46 -------- d-s---w C:\ComboFix
2009-05-30 18:32 . 2009-05-30 18:32 -------- dc----w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-30 16:51 . 2009-05-30 16:51 -------- d-----w c:\program files\Trend Micro
2009-05-30 16:43 . 2009-05-26 20:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 16:43 . 2009-05-30 16:43 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-30 16:43 . 2009-05-26 20:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-22 00:47 . 2009-05-22 00:47 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-05-21 10:34 . 2009-05-21 10:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-21 10:34 . 2009-05-21 10:36 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-05 07:13 . 2009-05-05 07:13 -------- d-----w c:\documents and settings\ATL\Application Data\Malwarebytes
2009-05-05 07:13 . 2009-05-05 07:13 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-04 20:34 . 2009-05-22 01:58 0 ----a-w c:\windows\system32\drivers\19afffad.sys
2009-05-03 08:05 . 2009-05-03 08:05 45056 ----a-r c:\documents and settings\ATL\Application Data\Microsoft\Installer\{8BF863F9-7739-4DA4-B40A-2AD76D571B82}\MapleStory.exe_DB457427E7B9425292170DC5FADE980F.exe
2009-05-03 08:05 . 2009-05-03 08:05 45056 ----a-r c:\documents and settings\ATL\Application Data\Microsoft\Installer\{8BF863F9-7739-4DA4-B40A-2AD76D571B82}\MapleStory.exe1_DB457427E7B9425292170DC5FADE980F.exe
2009-05-03 08:05 . 2009-05-03 08:05 10134 ----a-r c:\documents and settings\ATL\Application Data\Microsoft\Installer\{8BF863F9-7739-4DA4-B40A-2AD76D571B82}\ARPPRODUCTICON.exe
2009-05-03 06:34 . 2009-05-03 08:31 -------- d-----w c:\documents and settings\ATL\Local Settings\Application Data\PMB Files
2009-05-03 06:34 . 2009-05-03 06:35 -------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2009-05-03 06:34 . 2009-05-03 06:34 -------- d-----w c:\program files\Pando Networks
2009-05-01 21:04 . 2009-05-01 21:04 212480 ----a-w c:\windows\system32\dllcache\ndis.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 06:25 . 2008-08-07 06:35 40 ----a-w c:\windows\system32\profile.dat
2009-05-31 06:14 . 2009-03-30 09:42 -------- d-----w c:\documents and settings\ATL\Application Data\PC Tools
2009-05-30 18:52 . 2008-08-07 06:35 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-03 08:34 . 2009-03-30 09:42 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 08:12 . 2009-05-03 08:12 87552 ---ha-w c:\windows\system32\BITA21.tmp
2009-05-03 08:12 . 2009-05-03 08:12 79872 ---ha-w c:\windows\system32\BITA22.tmp
2009-05-03 08:12 . 2009-05-03 08:12 50688 ---ha-w c:\windows\system32\BITA20.tmp
2009-05-02 21:01 . 2008-08-13 01:49 -------- d-----w c:\program files\Warcraft III
2009-05-01 21:04 . 1980-01-01 07:00 212480 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-29 07:28 . 2008-12-31 09:09 -------- d-----w c:\documents and settings\ATL\Application Data\LimeWire
2009-04-14 04:03 . 2009-04-14 04:03 2713 --sh--w c:\windows\system32\barufutu.exe
2009-04-10 22:37 . 2009-04-10 22:37 2713 --sh--w c:\windows\system32\ratijipe.exe
2009-04-09 22:37 . 2009-04-09 22:37 15644 --sha-w c:\windows\system32\pisabupe.dll
2009-04-09 08:36 . 2009-04-09 08:36 2713 --sh--w c:\windows\system32\nopededo.dll
2009-04-09 08:36 . 2009-04-09 08:36 2713 --sh--w c:\windows\system32\limehabe.exe
2009-04-01 05:55 . 2009-04-01 05:55 10866 --sha-w c:\windows\system32\fujayagi.dll
2009-03-23 08:02 . 2009-03-23 08:02 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-03-20 05:34 . 2008-08-13 01:53 77691 ----a-w c:\windows\War3Unin.dat
2009-03-06 23:45 . 2009-03-30 09:43 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-03-06 06:59 . 2009-03-23 08:05 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2008-12-26 20:30 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-01 08:42 . 2009-02-01 08:42 50688 --sha-w c:\windows\system32\ligenisa.exe
2009-01-12 21:16 . 2009-01-12 21:16 51200 --sha-w c:\windows\system32\lonazaki.exe
2009-02-02 19:53 . 2009-02-02 19:53 51200 --sha-w c:\windows\system32\ludojila.exe
2009-02-04 04:48 . 2009-02-04 04:48 50688 --sha-w c:\windows\system32\malodoso.exe
2009-02-03 08:12 . 2009-02-03 08:12 50688 --sha-w c:\windows\system32\nokadeno.exe
.

------- Sigcheck -------

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[-] 2008-08-26 05:33 502784 B359DE33041BA9ACAB6392745C3F81ED c:\windows\system32\winlogon.exe

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2009-05-01 21:04 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-01 21:04 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
[-] 2008-08-26 05:33 295424 40FFC19A8D4875E9E19CECDC76EF9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]
"aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2005-11-1 581693]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-6 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 20:01 32768 ----a-w c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 21:59 39936 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56823:TCP"= 56823:TCP:Pando Media Booster
"56823:UDP"= 56823:UDP:Pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/30/2009 2:43 AM 130424]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [8/6/2008 11:19 PM 85760]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [8/6/2008 11:19 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/6/2008 11:42 PM 4442]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [12/8/2005 2:44 PM 3328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/8/2008 7:21 PM 24652]
S1 19afffad;19afffad;c:\windows\system32\drivers\19afffad.sys [5/4/2009 1:34 PM 0]
S1 df90d040;df90d040;c:\windows\system32\drivers\df90d040.sys --> c:\windows\system32\drivers\df90d040.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [8/18/2005 5:22 PM 124608]
S3 sdAuxService;PC Tools Auxiliary Service;c:\nexon\Spyware Doctor\pctsAuxs.exe --> c:\nexon\Spyware Doctor\pctsAuxs.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI7
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-881565578-3357626825-4007795620-1005.job
- c:\documents and settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-11 10:27]

2009-05-31 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-07 08:12]

2008-08-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-08-07 00:32]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\ATL\Application Data\Mozilla\Firefox\Profiles\qwywtq3l.default\
FF - plugin: c:\documents and settings\ATL\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-05-30 23:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(1052)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
.
Completion time: 2009-05-31 23:58
ComboFix-quarantined-files.txt 2009-05-31 06:58

Pre-Run: 64,699,904,000 bytes free
Post-Run: 64,793,206,784 bytes free

232 --- E O F --- 2009-03-13 10:02

HIJACK THIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:35 AM, on 5/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: scanner.info
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Nexon\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Nexon\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11469 bytes
to forum · permalink · 2009-05-31 06:42:59 · Reply to this


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA

Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:

To deactivate Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".

You can reenable it once your system is clean.

I see you have Viewpoint installed...
Viewpoint Manager is considered to be foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". This will change though, please read this article:
»www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
- Viewpoint
- Viewpoint Manager
- Viewpoint Media Player
Reboot afterwards. -- Important!

If you chose to uninstall Viewpoint, after rebooting, using Windows Explorer delete the following folder if still there:
C:\Program Files\Viewpoint

You are (or were) running LimeWire. Various version of LimeWire have included spyware. I highly recommend uninstalling it and replacing it with a clean P2P program. As an alternative, there is an exact, open source clone of LimeWire called FrostWire. Except for the name and color scheme, it's the same program. You can find a list of clean P2P programs at »p2p.malwareremoval.com. Remember, however, that just because the P2P client is clean, doesn't mean that the files you download are. Many P2P networks are riddled with malware, and it's often some of the most recent and therefore sometimes the most difficult to remove.

If you chose to optionally uninstall Limewire, go to Start -> Settings -> Control Panel -> Add or Remove Programs and uninstall the following program:
LimeWire

Then, using Windows Explorer, delete the folder:
C:\Program Files\LimeWire

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:


Save the file to your Desktop.
Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad*Do Not Use Wordpad!*(Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

quote:
Driver::
19afffad
df90d040

File::
c:\windows\system32\drivers\19afffad.sys
c:\windows\system32\drivers\df90d040.sys
Save this as CFScript.txt, in the same location as ComboFix.exe



Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt. Please post that log in your next reply.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- In the drop down box labeled Files of type change the type to Text file.
- Save the file to your desktop.
- Copy and paste that information in your next post.

Please post a new HijackThis log, The log from Kaspersky's online scanner, the log from ComboFix (combofix.txt), and note any errors encountered.

--
Proud ASAP member since 2005
to forum · permalink · · 2009-05-31 08:42:35 · Reply to this


Superman1234

@verizon.net

 Two things:

1. This is the second time you've posted for me to deactivate Spyware Doctor, but I'm 99% positive I don't have it. I ran a search to make sure and nothing came up. Could there be something else causing problems?

2. I'm unable to run Kaspersky's scanner. It requires a newer version of Java which, for whatever reason, I am unable to download. I believe this has something to do with my faulty connection (I'm only able to connect on an old version of IE).

Otherwise I ran Combofix again.
to forum · permalink · 2009-05-31 23:54:52 · Reply to this


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA

Go to Start > Settings > Control Panel > Internet Options > Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Download the latest version of Kaspersky Virus Removal Tool
- Close all other applications and double-click and run the installer.
- When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
- If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
- In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
- In the Scan window click the Reports button and select Save to file.
- Name the report AVPT.txt, and save it to the Desktop.
- Close AVPTool.
- You will be prompted if you want to uninstall the program; click Yes.
- You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
- Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Please post a new HijackThis log, the requested portion of the log from Kaspersky's Virus Removal Tool, and the ComboFix log from the last set of instructions.

--
Proud ASAP member since 2005
to forum · permalink · · 2009-06-01 08:18:12 · Reply to this


Superman1234

@verizon.net

 HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:33 PM, on 6/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Nexon\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Nexon\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 11633 bytes

Kasperky:
Scan
----
Scanned: 898505
Detected: 35
Untreated: 0
Start time: 6/1/2009 1:23:02 PM
Duration: 03:12:43
Finish time: 6/1/2009 4:35:45 PM

Detected
--------
Status Object
------ ------
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.r File: C:\Documents and Settings\ATL\My Documents\LimeWire\Incomplete\T-5745425-great escape (unplugged version).mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.u File: C:\Documents and Settings\ATL\My Documents\LimeWire\Saved\baptism of solitude.mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.n File: C:\Documents and Settings\ATL\My Documents\LimeWire\Saved\great escape boys like girls - greatest hits.mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.r File: C:\Documents and Settings\ATL\My Documents\LimeWire\Saved\little too not over you.mp3
deleted: Trojan program Trojan-Downloader.Win32.Small.akgk File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ED00000.VBN//CryptZ
deleted: virus Email-Worm.Win32.Zhelatin.vl File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14540001.VBN//CryptZ
deleted: Trojan program Packed.Win32.Krap.q File: C:\Qoobox\Quarantine\C\WINDOWS\system32\rayizanu.exe.vir
deleted: Trojan program Packed.Win32.Krap.q File: C:\Qoobox\Quarantine\C\WINDOWS\system32\vakakayu.exe.vir
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065112.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065113.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065118.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065120.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065124.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065132.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065141.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065143.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065146.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065152.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065156.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065165.dll
deleted: Trojan program Backdoor.Win32.NewRest.z File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP147\A0069292.sys
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP148\A0071430.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP148\A0071433.exe
deleted: Trojan program Packed.Win32.Krap.n File: C:\WINDOWS\system32\fujayagi.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\WINDOWS\system32\ligenisa.exe
deleted: Trojan program Trojan-Dropper.Win32.Xpiut.hq File: C:\WINDOWS\system32\lonazaki.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\WINDOWS\system32\ludojila.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\WINDOWS\system32\malodoso.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\WINDOWS\system32\nokadeno.exe
deleted: Trojan program Packed.Win32.Krap.n File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075721.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075722.exe
deleted: Trojan program Trojan-Dropper.Win32.Xpiut.hq File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075723.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075724.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075725.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075726.exe

Combofix:
ComboFix 09-05-30.03 - ATL 05/31/2009 19:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.558 [GMT -7:00]
Running from: c:\documents and settings\ATL\Desktop\pppp.exe
Command switches used :: c:\documents and settings\ATL\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

FILE ::
"c:\windows\system32\drivers\19afffad.sys"
"c:\windows\system32\drivers\df90d040.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\19afffad.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_19afffad
-------\Service_df90d040

((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-05-31 06:38 . 2009-05-31 06:46 -------- d-s---w C:\ComboFix
2009-05-30 18:32 . 2009-05-30 18:32 -------- dc----w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-30 16:51 . 2009-05-30 16:51 -------- d-----w c:\program files\Trend Micro
2009-05-30 16:43 . 2009-05-26 20:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 16:43 . 2009-05-30 16:43 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-30 16:43 . 2009-05-26 20:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-22 00:47 . 2009-05-22 00:47 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-05-21 10:34 . 2009-05-21 10:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-21 10:34 . 2009-05-21 10:36 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-05 07:13 . 2009-05-05 07:13 -------- d-----w c:\documents and settings\ATL\Application Data\Malwarebytes
2009-05-05 07:13 . 2009-05-05 07:13 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 08:05 . 2009-05-03 08:05 45056 ----a-r c:\documents and settings\ATL\Application Data\Microsoft\Installer\{8BF863F9-7739-4DA4-B40A-2AD76D571B82}\MapleStory.exe_DB457427E7B9425292170DC5FADE980F.exe
2009-05-03 08:05 . 2009-05-03 08:05 45056 ----a-r c:\documents and settings\ATL\Application Data\Microsoft\Installer\{8BF863F9-7739-4DA4-B40A-2AD76D571B82}\MapleStory.exe1_DB457427E7B9425292170DC5FADE980F.exe
2009-05-03 08:05 . 2009-05-03 08:05 10134 ----a-r c:\documents and settings\ATL\Application Data\Microsoft\Installer\{8BF863F9-7739-4DA4-B40A-2AD76D571B82}\ARPPRODUCTICON.exe
2009-05-03 06:34 . 2009-05-03 08:31 -------- d-----w c:\documents and settings\ATL\Local Settings\Application Data\PMB Files
2009-05-03 06:34 . 2009-05-03 06:35 -------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2009-05-03 06:34 . 2009-05-03 06:34 -------- d-----w c:\program files\Pando Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 02:41 . 2008-08-07 06:35 40 ----a-w c:\windows\system32\profile.dat
2009-06-01 02:17 . 2008-08-09 02:21 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-31 06:14 . 2009-03-30 09:42 -------- d-----w c:\documents and settings\ATL\Application Data\PC Tools
2009-05-30 18:52 . 2008-08-07 06:35 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-03 08:34 . 2009-03-30 09:42 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 08:12 . 2009-05-03 08:12 87552 ---ha-w c:\windows\system32\BITA21.tmp
2009-05-03 08:12 . 2009-05-03 08:12 79872 ---ha-w c:\windows\system32\BITA22.tmp
2009-05-03 08:12 . 2009-05-03 08:12 50688 ---ha-w c:\windows\system32\BITA20.tmp
2009-05-02 21:01 . 2008-08-13 01:49 -------- d-----w c:\program files\Warcraft III
2009-05-01 21:04 . 1980-01-01 07:00 212480 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-29 07:28 . 2008-12-31 09:09 -------- d-----w c:\documents and settings\ATL\Application Data\LimeWire
2009-04-14 04:03 . 2009-04-14 04:03 2713 --sh--w c:\windows\system32\barufutu.exe
2009-04-10 22:37 . 2009-04-10 22:37 2713 --sh--w c:\windows\system32\ratijipe.exe
2009-04-09 22:37 . 2009-04-09 22:37 15644 --sha-w c:\windows\system32\pisabupe.dll
2009-04-09 08:36 . 2009-04-09 08:36 2713 --sh--w c:\windows\system32\nopededo.dll
2009-04-09 08:36 . 2009-04-09 08:36 2713 --sh--w c:\windows\system32\limehabe.exe
2009-04-01 05:55 . 2009-04-01 05:55 10866 --sha-w c:\windows\system32\fujayagi.dll
2009-03-23 08:02 . 2009-03-23 08:02 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-03-20 05:34 . 2008-08-13 01:53 77691 ----a-w c:\windows\War3Unin.dat
2009-03-06 23:45 . 2009-03-30 09:43 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-03-06 06:59 . 2009-03-23 08:05 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2008-12-26 20:30 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-01 08:42 . 2009-02-01 08:42 50688 --sha-w c:\windows\system32\ligenisa.exe
2009-01-12 21:16 . 2009-01-12 21:16 51200 --sha-w c:\windows\system32\lonazaki.exe
2009-02-02 19:53 . 2009-02-02 19:53 51200 --sha-w c:\windows\system32\ludojila.exe
2009-02-04 04:48 . 2009-02-04 04:48 50688 --sha-w c:\windows\system32\malodoso.exe
2009-02-03 08:12 . 2009-02-03 08:12 50688 --sha-w c:\windows\system32\nokadeno.exe
.

------- Sigcheck -------

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[-] 2008-08-26 05:33 502784 B359DE33041BA9ACAB6392745C3F81ED c:\windows\system32\winlogon.exe

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2009-05-01 21:04 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-01 21:04 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
[-] 2008-08-26 05:33 295424 40FFC19A8D4875E9E19CECDC76EF9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-31_06.57.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-01 02:21 . 2009-06-01 02:21 16384 c:\windows\Temp\Perflib_Perfdata_6f0.dat
+ 2009-05-22 00:47 . 2009-06-01 02:30 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
- 2009-05-22 00:47 . 2009-05-31 06:47 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2009-05-31 21:44 . 2009-06-01 02:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009053120090601\index.dat
+ 2008-08-07 06:47 . 2009-06-01 02:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-07 06:47 . 2009-05-31 06:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-07 06:47 . 2009-06-01 02:30 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-08-07 06:47 . 2009-05-31 06:47 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]
"aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2005-11-1 581693]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-6 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 20:01 32768 ----a-w c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 21:59 39936 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56823:TCP"= 56823:TCP:Pando Media Booster
"56823:UDP"= 56823:UDP:Pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/30/2009 2:43 AM 130424]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [8/6/2008 11:19 PM 85760]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [8/6/2008 11:19 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/6/2008 11:42 PM 4442]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [12/8/2005 2:44 PM 3328]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [8/18/2005 5:22 PM 124608]
S3 sdAuxService;PC Tools Auxiliary Service;c:\nexon\Spyware Doctor\pctsAuxs.exe --> c:\nexon\Spyware Doctor\pctsAuxs.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-881565578-3357626825-4007795620-1005.job
- c:\documents and settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-11 10:27]

2009-06-01 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-07 08:12]

2008-08-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-08-07 00:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\ATL\Application Data\Mozilla\Firefox\Profiles\qwywtq3l.default\
FF - plugin: c:\documents and settings\ATL\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-05-31 19:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(1020)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

- - - - - - - > 'explorer.exe'(5692)
c:\windows\system32\PROCHLP.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-06-01 19:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-01 02:48
ComboFix2.txt 2009-05-31 06:58

Pre-Run: 64,674,787,328 bytes free
Post-Run: 64,641,310,720 bytes free

271 --- E O F --- 2009-03-13 10:02
to forum · permalink · 2009-06-01 17:12:50 · Reply to this


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA

1 edit		Not only has Kaspersky's Virus Removal Tool removes several infections, it has shown the apparent source of at least part of your infections - downloading infected files with LimeWire. As I pointed out in my previous post, even if you replace LimeWire with a clean P2P program, that only means that the program is clean, it doesn't mean that the files that you download will be, and you have infected mp3 files that were downloaded with it.

If you uninstalled LimeWire as recommended, then you should also delete the following folder, but first you will need to be sure you have hidden files and folders showing.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

c:\documents and settings\ATL\Application Data\LimeWire

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

If you uninstalled Limewire as recommended, also do this:

Please run Notepad and paste the following text in the Quote box (between the lines) into a new file:

quote:
REGEDIT4

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry. A window will open and quickly close.

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:


Save the file to your Desktop.
Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad*Do Not Use Wordpad!*(Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

quote:
File::
c:\windows\system32\BITA21.tmp
c:\windows\system32\BITA22.tmp
c:\windows\system32\BITA20.tmp
c:\windows\system32\barufutu.exe
c:\windows\system32\ratijipe.exe
c:\windows\system32\pisabupe.dll
c:\windows\system32\nopededo.dll
c:\windows\system32\limehabe.exe
c:\windows\system32\fujayagi.dll
c:\windows\system32\ligenisa.exe
c:\windows\system32\lonazaki.exe
c:\windows\system32\ludojila.exe
c:\windows\system32\malodoso.exe
c:\windows\system32\nokadeno.exe

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
Save this as CFScript.txt, in the same location as ComboFix.exe



Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt. Please post that log in your next reply.

Please post a new HijackThis log, the log from ComboFix (combofix.txt), and note any errors encountered.

--
Proud ASAP member since 2005
to forum · permalink · · 2009-06-01 23:20:20 · Reply to this
-
Forums » Up and Running » Security » Security CleanupTrojanDownloader:Win32/renos.dz »

Friday, 27-Nov 22:39:31 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [121] Time Warner Cable Fires Broadside At Broadcasters
· [112] New AT&T Ad Campaign Hits Back At Verizon
· [95] Apple Joins AT&T Verizon Snark Fest
· [87] New Bill Takes Aim At Higher Verizon ETFs
· [70] TiVo Sees Record Customer Losses
· [68] In-Flight Internet Headed For Bumpy Landing?
· [63] Verizon CEO: Hulu Will Be Dead Soon
· [60] Thanksgiving Open Thread
· [38] EFF Wages War On Fine Print
· [38] ICANN Slams DNS Redirection
Most people now reading
· Windows 7 boot manager editing questions [Microsoft Help]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· HOW-TO: QoS and Tomato (fixes "choppy voice") [MagicJack]
· [ PVP] 3.2 DK PvP D/W Spec... [World of Warcraft]
· Newegg Black Friday Sale started [Users Find Hot Deals]
· IPComms Free DIDs now with sip registration maybe?? [VOIP Tech Chat]
· [How to] Install Asterisk on an Asus WL-520GU router [VOIP Tech Chat]
· 5 hour energy for diabetic [General Questions]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]
· Speedtest server [TekSavvy]