lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

IEXPLORER.EXE virus pls review HiJack log

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules


Register


Reply
Page 1 of 2 1 2
 
Thread Tools
  #1  
Old 21st Sep 2008, 12:02
New Member Group
  
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:37 PM, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Cisco VPN client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\_integra\bin\ccmagent.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\calc.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\program files\internet explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_inte gra\bin\shstart.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8E7B489-2160-4DE7-B592-9FD03D16CC74}: Domain = keane.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: BHCP Service (BHsrv) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco VPN client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c:\_integra\bin\ccmagent.exe
--
End of file - 8621 bytes
  #2  
Old 21st Sep 2008, 15:30
Moderator Group
  
Download Malwarebytes' Anti-Malware (MBAM)
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
__________________
  #3  
Old 21st Sep 2008, 18:18
New Member Group
  
No malware found, here is the report
------------------------------------------------------
Windows 5.1.2600 Service Pack 2
9/21/2008 6:16:07 PM
mbam-log-2008-09-21 (18-16-07).txt
Scan type: Quick Scan
Objects scanned: 52621
Time elapsed: 4 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
  #4  
Old 21st Sep 2008, 18:40
Moderator Group
  
There is no malware showing in either log.

What exactly is happening?
__________________
  #5  
Old 21st Sep 2008, 19:23
New Member Group
  
Multiple IEXPLORER.EXE process are spwaning in process list. They immediately pop up if I kill them one by one. Sometimes I also hear some sounds like one of those running any browser window but no visible. There is definitely wrong they are not supposed to exist.
  #6  
Old 21st Sep 2008, 19:26
Moderator Group
  
Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
__________________
  #7  
Old 21st Sep 2008, 19:42
New Member Group
  
ComboFix Log
-----------------------
ComboFix 08-09-20.05 - 012466 2008-09-21 19:31:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT -7:00]
Running from: C:\Keanetools\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanag er[1].txt
C:\WINDOWS\system32\x64
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BHSRV
-------\Service_BHsrv

((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.
2008-09-21 18:09 . 2008-09-21 18:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-21 18:09 . 2008-09-21 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 18:09 . 2008-09-21 18:09 <DIR> d-------- C:\Documents and Settings\012466\Application Data\Malwarebytes
2008-09-21 18:09 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-21 18:09 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 11:07 . 2008-09-21 11:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-21 11:07 . 2008-09-21 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-21 11:06 . 2008-09-21 11:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-20 23:40 . 2008-09-20 23:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-19 09:03 . 2008-09-19 09:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-09-19 00:49 . 2008-09-19 00:52 <DIR> d-------- C:\Documents and Settings\012466\.housecall6.6
2008-09-19 00:27 . 2008-09-19 09:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-18 20:25 . 2002-02-04 06:22 1,230,336 --a------ C:\WINDOWS\system32\msxml4.dll
2008-09-18 20:25 . 2007-09-14 05:01 922,920 --------- C:\WINDOWS\system32\ahlprun.exe
2008-09-18 20:25 . 2002-02-04 06:13 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2008-09-18 20:25 . 2002-02-04 06:13 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-09-18 20:25 . 2002-02-07 18:43 9,679 --a------ C:\WINDOWS\system32\msxml4r.cat
2008-09-18 20:25 . 2002-02-07 18:43 9,675 --a------ C:\WINDOWS\system32\msxml4.cat
2008-09-18 20:25 . 2002-02-06 20:31 3,489 --a------ C:\WINDOWS\system32\msxml4.Manifest
2008-09-18 20:25 . 2002-02-06 20:31 500 --a------ C:\WINDOWS\system32\msxml4r.Manifest
2008-09-18 20:21 . 2008-09-18 20:21 <DIR> d-------- C:\Program Files\Common Files\Lenovo
2008-09-18 18:27 . 2008-09-21 11:54 21,272 --a------ C:\WINDOWS\system32\bynpea.key
2008-09-18 18:25 . 2008-09-18 18:25 1 --a------ C:\WINDOWS\system32\004fdb9.imi
2008-09-15 14:23 . 2008-09-15 14:23 332,800 ---hs---- C:\WINDOWS\system32\_Bhsrv.msi
2008-09-15 12:15 . 2008-09-18 15:57 69,942 --a------ C:\WINDOWS\system32\rrjack.key
2008-09-15 12:15 . 2008-09-15 12:15 1 --a------ C:\WINDOWS\system32\0048444.imi
2008-09-13 19:27 . 2008-09-13 19:27 24 --a------ C:\WINDOWS\cdplayer.ini
2008-09-13 19:26 . 2008-09-13 19:26 <DIR> d-------- C:\Program Files\Real
2008-09-13 19:26 . 2008-09-13 19:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-13 19:26 . 2008-09-13 19:26 <DIR> d-------- C:\Program Files\Common Files\Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-22 02:33 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-22 02:33 --------- d-----w C:\Program Files\Cisco VPN client
2008-09-21 18:56 16 --sh--r C:\MSCIOTL.SYS
2008-09-21 18:55 8,416 ----a-w C:\WINDOWS\system32\drivers\CDProbe.SYS
2008-09-20 19:26 430,816 --sh--w C:\Program Files\_MsInfo.msi
2008-09-19 03:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-19 03:25 --------- d-----w C:\Program Files\ThinkVantage
2008-09-19 03:21 --------- d-----w C:\Program Files\Lenovo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.ex e" [2007-08-15 137752]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-14 124656]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp .Exe" [2007-04-26 243248]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe " [2007-03-22 120368]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-09-13 185896]
"TrackPointSrv"="tp4mon.exe" [2004-08-03 C:\WINDOWS\system32\tp4mon.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 C:\WINDOWS\system32\nwtray.exe]
"TpShocks"="TpShocks.exe" [2007-03-29 C:\WINDOWS\system32\TpShocks.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 13:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 08:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsH M86.sys [2007-03-02 19760]
R2 smefs;SMEFileSystem;C:\WINDOWS\system32\drivers\sm efs.sys [2006-02-08 20508]
R3 CdProbe;CdProbe;C:\WINDOWS\system32\DRIVERS\cdprob e.sys [2008-09-21 8416]
R3 smedrv;SMEDriver;C:\WINDOWS\system32\drivers\smedr v.sys [2006-02-08 9516]
S2 AppMgSvc;Application Management Service;C:\Program Files\Common Files\Microsoft Shared\MSINFO\MsInfo.msi [2008-09-20 430816]
S2 yraebbgi;yraebbgi;C:\WINDOWS\system32\drivers\bynp ea.sys [ ]
S2 yrtxzgwh;yrtxzgwh;C:\WINDOWS\system32\drivers\rrja ck.sys [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 19:35:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\A ppMgSvc]
"ImagePath"="C:\Program Files\Common Files\Microsoft Shared\MSINFO\MsInfo.msi"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\_integra\bin\shstart.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\CENTENN.IAL\AUDIT\CAgent32.exe
C:\CENTENN.IAL\AUDIT\xferwan.exe
C:\Program Files\Cisco VPN client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\_integra\bin\ccmagent.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\ComboFix\pv.cfexe
.
************************************************** ************************
.
Completion time: 2008-09-21 19:36:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-22 02:36:54
Pre-Run: 64,333,811,712 bytes free
Post-Run: 64,523,264,000 bytes free
175





HijackThis Log
-----------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:41 PM, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Cisco VPN client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\_integra\bin\ccmagent.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8E7B489-2160-4DE7-B592-9FD03D16CC74}: Domain = keane.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D239A412-22C2-4683-95BC-1FFAA687D0DF}: NameServer = 172.21.18.101,172.21.18.102
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Application Management Service (AppMgSvc) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco VPN client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - Symantec Corporation - c:\_integra\bin\ccmagent.exe
--
End of file - 8581 bytes
  #8  
Old 21st Sep 2008, 21:24
Moderator Group
  
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
KillAll::

Driver::
BHSRV
BHsrv

File::
C:\WINDOWS\system32\bynpea.key
C:\WINDOWS\system32\004fdb9.imi
C:\WINDOWS\system32\_Bhsrv.msi
C:\WINDOWS\system32\rrjack.key
C:\WINDOWS\system32\0048444.imi
C:\WINDOWS\system32\drivers\bynpea.sys
C:\WINDOWS\system32\drivers\rrjack.sys
C:\WINDOWS\system32\calc.exe
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
  #9  
Old 21st Sep 2008, 22:20
New Member Group
  
ComboFix log after running CFSCript
----------------------------------------------------------
ComboFix 08-09-20.05 - 012466 2008-09-21 22:11:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -7:00]
Running from: C:\Keanetools\ComboFix.exe
Command switches used :: C:\Documents and Settings\012466\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\_Bhsrv.msi
C:\WINDOWS\system32\0048444.imi
C:\WINDOWS\system32\004fdb9.imi
C:\WINDOWS\system32\bynpea.key
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\drivers\bynpea.sys
C:\WINDOWS\system32\drivers\rrjack.sys
C:\WINDOWS\system32\rrjack.key
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\_Bhsrv.msi
C:\WINDOWS\system32\0048444.imi
C:\WINDOWS\system32\004fdb9.imi
C:\WINDOWS\system32\bynpea.key
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\rrjack.key
.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.
2008-09-21 18:09 . 2008-09-21 18:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-21 18:09 . 2008-09-21 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 18:09 . 2008-09-21 18:09 <DIR> d-------- C:\Documents and Settings\012466\Application Data\Malwarebytes
2008-09-21 18:09 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-21 18:09 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 11:07 . 2008-09-21 11:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-21 11:07 . 2008-09-21 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-21 11:06 . 2008-09-21 11:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-20 23:40 . 2008-09-20 23:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-19 09:03 . 2008-09-19 09:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-09-19 00:49 . 2008-09-19 00:52 <DIR> d-------- C:\Documents and Settings\012466\.housecall6.6
2008-09-19 00:27 . 2008-09-19 09:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-18 20:25 . 2002-02-04 06:22 1,230,336 --a------ C:\WINDOWS\system32\msxml4.dll
2008-09-18 20:25 . 2007-09-14 05:01 922,920 --------- C:\WINDOWS\system32\ahlprun.exe
2008-09-18 20:25 . 2002-02-04 06:13 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2008-09-18 20:25 . 2002-02-04 06:13 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-09-18 20:25 . 2002-02-07 18:43 9,679 --a------ C:\WINDOWS\system32\msxml4r.cat
2008-09-18 20:25 . 2002-02-07 18:43 9,675 --a------ C:\WINDOWS\system32\msxml4.cat
2008-09-18 20:25 . 2002-02-06 20:31 3,489 --a------ C:\WINDOWS\system32\msxml4.Manifest
2008-09-18 20:25 . 2002-02-06 20:31 500 --a------ C:\WINDOWS\system32\msxml4r.Manifest
2008-09-18 20:21 . 2008-09-18 20:21 <DIR> d-------- C:\Program Files\Common Files\Lenovo
2008-09-13 19:27 . 2008-09-13 19:27 24 --a------ C:\WINDOWS\cdplayer.ini
2008-09-13 19:26 . 2008-09-13 19:26 <DIR> d-------- C:\Program Files\Real
2008-09-13 19:26 . 2008-09-13 19:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-13 19:26 . 2008-09-13 19:26 <DIR> d-------- C:\Program Files\Common Files\Real
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-22 05:14 8,416 ----a-w C:\WINDOWS\system32\drivers\CDProbe.SYS
2008-09-22 05:14 16 --sh--r C:\MSCIOTL.SYS
2008-09-22 05:14 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-22 03:07 --------- d-----w C:\Program Files\Cisco VPN client
2008-09-20 19:26 430,816 --sh--w C:\Program Files\_MsInfo.msi
2008-09-19 03:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-19 03:25 --------- d-----w C:\Program Files\ThinkVantage
2008-09-19 03:21 --------- d-----w C:\Program Files\Lenovo
.
((((((((((((((((((((((((((((( snapshot@2008-09-21_19.36.38.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-21 18:59:45 71,370 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-22 02:39:43 71,370 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-21 18:59:45 439,832 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-22 02:39:43 439,832 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.ex e" [2007-08-15 137752]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-14 124656]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-19 127037]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp .Exe" [2007-04-26 243248]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe " [2007-03-22 120368]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-09-13 185896]
"TrackPointSrv"="tp4mon.exe" [2004-08-03 C:\WINDOWS\system32\tp4mon.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 C:\WINDOWS\system32\nwtray.exe]
"TpShocks"="TpShocks.exe" [2007-03-29 C:\WINDOWS\system32\TpShocks.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 13:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 08:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx 86.sys [2007-03-02 100656]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsH M86.sys [2007-03-02 19760]
R2 smefs;SMEFileSystem;C:\WINDOWS\system32\drivers\sm efs.sys [2006-02-08 20508]
R3 CdProbe;CdProbe;C:\WINDOWS\system32\DRIVERS\cdprob e.sys [2008-09-21 8416]
R3 smedrv;SMEDriver;C:\WINDOWS\system32\drivers\smedr v.sys [2006-02-08 9516]
S2 AppMgSvc;Application Management Service;C:\Program Files\Common Files\Microsoft Shared\MSINFO\MsInfo.msi [2008-09-20 430816]
S2 yraebbgi;yraebbgi;C:\WINDOWS\system32\drivers\bynp ea.sys [ ]
S2 yrtxzgwh;yrtxzgwh;C:\WINDOWS\system32\drivers\rrja ck.sys [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
wrtxzg REG_MULTI_SZ wrtxzg
nraebb REG_MULTI_SZ nraebb
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 22:16:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

C:\WINDOWS\system32\calc.exe
scan completed successfully
hidden files: 1
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\A ppMgSvc]
"ImagePath"="C:\Program Files\Common Files\Microsoft Shared\MSINFO\MsInfo.msi"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\CENTENN.IAL\AUDIT\CAgent32.exe
C:\CENTENN.IAL\AUDIT\xferwan.exe
C:\Program Files\Cisco VPN client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\_integra\bin\ccmagent.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\_integra\bin\shstart.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\ComboFix\pv.cfexe
.
************************************************** ************************
.
Completion time: 2008-09-21 22:17:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-22 05:17:23
ComboFix2.txt 2008-09-22 02:36:59
Pre-Run: 64,509,464,576 bytes free
Post-Run: 64,505,421,824 bytes free
181
  #10  
Old 21st Sep 2008, 22:26
Moderator Group
  
Download OTMoveIt2 by OldTimerand save it to your Desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

1. Double-click OTMoveIt2.exe to run it.
2. Copy the lines in the codebox below.

Code:
[kill explorer]
C:\WINDOWS\system32\calc.exe
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgSvc
EmptyTemp
[start explorer]
3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
4. Click the red Moveit! button.
5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
6. Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.
__________________
Reply
Page 1 of 2 1 2

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.