Our November Competition
 User Reviews - Add Yours!
The PCHF Lounge
Go Back   PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs
Reload this Page Fixed: New infection, but not a newbie... lol
Register for a Free Account

[Fixed] Hijackthis! Logs - New infection, but not a newbie... lol posted in the Security & Safety forums; Ok guys... I've been through this before on my own laptop when dealing with Vundo, this time it's a client's laptop, and I've decided to keep notes on every step ...


Reply
Scan your PC for Errors
Page 1 of 2 1 2
Old 12-31-2008   #1
Bronze Member
 
Join Date: Dec 2008
Posts: 55
PC Experience: A+, CCNA
Default New infection, but not a newbie... lol
Ok guys... I've been through this before on my own laptop when dealing with Vundo, this time it's a client's laptop, and I've decided to keep notes on every step taken and the results. I have multiple logs (HJT and others), Rather than upload them all I'll just give you my notes and the most recent HJT log... if you want to see others, just let me know which one(s) and I'll post it/them.

Ok, onto the notes:

Started 12/30/08 11:00

11:00 Downloaded all needed programs to USB, booted laptop into safe mode
11:11 Renamed HJT, ran, it found a few signs of Virtumonde:
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6701333C-F256-4E3A-8D33-713A96F463E7} - C:\WINDOWS\system32\efcYRhhG.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {525f807a-e793-ad6b-8874-a08afc929c69} - {96c929cf-a80a-4788-b6da-397ea708f525} - C:\WINDOWS\system32\abtgws.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\sw g.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O20 - AppInit_DLLs: avgrsstx.dll abtgws.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll

11:24 Rebooted into regular mode to get to add/remove software
11:28 Removed Google Earth & Updater, Windows Live toolbar
11:32 Booted into Safe Mode, ran another HJT scan. Barring Java, this leaves the following files:

efcYRhhG.dll
abtgws.dll
avgrsstx.dll
abtgws.dll
FPWinLogonNP.dll

11:38 Ran VundoFix, added above files, cleaned
12:27 Log says it couldn't delete all files. Ran VirtumundoBeGone, nothing found
12:29 Installed MBAM, ran scan
12:51 Found 9 files, all items removed successfully
12:53 Ran HJT, efcYRhhG.dll gone but others still there
12:55 installed CrapCleaner & deleted logs, etc.
12:59 Installed & ran Spybot
13:12 Restarted scan due to Windows rebooting
13:17 Found Virtumonde (2 files), removed and re-scanned
13:24 Spybot removal confirmed
13:26 HJT shows no change from last scan
13:28 Tried to install Adaware, SysAdmin policies prevent the install
13:28 Ran an AVG scan
13:39 Restarted scan due to Windows rebooting
14:41 Came back from a business meeting, PC had rebooted again (into normal mode) and froze before logon screen. Hard power off.

Next day, back at it
10:39 Another try at an AVG scan
11:11 Nothing found
11:21 Downloaded MS Malicious Software Removal Tool and ran a scan
11:55 PC restarted, caught the error this time: "DCom Server Process Launcher service terminated unexpectedly"
13:02 Multiple restarts have cancelled the MSMSRT I decided to try running a simple scan with the AVG Anti-Rootkit tool. It will not run in Safe Mode, had to use regular mode. It found 9 files starting with "seneka". Had program remove files & rebooted.
13:06 Ran a full scan with AVG tool,
14:31 Came back from errand, no rootkits found.
14:32 Ran another HJT scan, looks like everything's gone from O2 section, but 3 files still in the O20 section. I've run out of ideas... going to post a thread and ask for help.


Here's the most recent HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:19 PM, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\FpLogonServ.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Live Search:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Live Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Live Search:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E80E9499-20E5-4BDD-B529-9EC10784802B} - C:\WINDOWS\system32\efcYRhhG.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PUFLITE - http://www.carolbuyerandlistingagent...ol/PUFLITE.CAB
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - https://valuemanager.iasreo.com/BPO/ImageUploader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
--
End of file - 9463 bytes
Fla_Panther is offline   Reply With Quote
Register for a Free PCHF account
Advertisement - Register to Remove
Old 12-31-2008   #2
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,798
PC Experience: Elite PC Guru
Default Re: New infection, but not a newbie... lol
Run both these programs.

Please download Malwarebytes' Anti-Malware from one of these places:
|MG| Malwarebytes Anti-Malware 1.31
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

================================================== ===================================
================================================== ===================================

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
Double-click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is online now   Reply With Quote
Old 01-02-2009   #3
Bronze Member
 
Join Date: Dec 2008
Posts: 55
PC Experience: A+, CCNA
Default Re: New infection, but not a newbie... lol
1/1/09

18:00 Booted into Safe Mode w/Networking, downloaded MBAM update & re-ran scan
18:42 Scan complete, 19 files infected & cleaned, no errors.
19:00 Downloaded & ran ThunderCats ... I mean ComboFix. It stated AVG was running in the background. Couldn't find processes in Task Manager, used MSConfig to turn off AVG upon startup, rebooted, got same message from ComboFix. Ran program anyway and saved log.

Here are the two logs:


Malwarebytes' Anti-Malware 1.31
Database version: 1590
Windows 5.1.2600 Service Pack 3
1/1/2009 6:41:20 PM
mbam-log-2009-01-01 (18-41-20).txt
Scan type: Full Scan (C:\|)
Objects scanned: 112001
Time elapsed: 15 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Carol McGrath\Local Settings\Temp\cvfxfjvt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carol McGrath\Local Settings\Temp\cxcisisw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carol McGrath\Local Settings\Temp\jrscouct.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carol McGrath\Local Settings\Temp\oerswnmxca.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carol McGrath\Local Settings\Temp\roxajecu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\abtgws.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtrRJaY.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccywwvw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gtchkmtn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hmuzql.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rawsbhpd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaahnqknuc.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaotwyqgwd.dll (Trojan.Seneka) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sidyrjvv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tbflbykm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uqpyqa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekasfyswiwj.sy_ (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.


ComboFix 08-12-31.01 - Administrator 2009-01-01 18:54:34.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.795 [GMT -8:00]
Running from: e:\virus removal folder\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Carol McGrath\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\tmp.reg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.
2008-12-31 12:45 . 2007-01-18 04:00 3,968 --a------ c:\windows\system32\drivers\AvgArCln.sys
2008-12-31 11:59 . 2008-12-31 12:34 <DIR> d-------- C:\6bde1e822f06d275ffeb13da
2008-12-31 11:20 . 2008-12-31 11:55 <DIR> d-------- C:\1a2c31809e0d79b2f05c0b
2008-12-30 12:30 . 2008-12-30 12:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 12:30 . 2008-12-30 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 12:30 . 2008-12-30 12:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-30 12:30 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 12:30 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-29 14:11 . 2008-12-29 14:11 <DIR> d-------- C:\VundoFix Backups
2008-12-29 13:52 . 2008-12-29 13:59 149 --a------ c:\windows\wininit.ini
2008-12-29 12:03 . 2008-12-29 12:03 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-29 12:03 . 2008-12-29 12:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-29 12:01 . 2008-12-29 12:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-29 11:59 . 2008-12-29 11:59 <DIR> d-------- c:\program files\CCleaner
2008-12-29 11:54 . 2008-12-29 11:54 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 05:35 . 2008-12-28 05:35 0 --a------ c:\windows\system32\drivers\seneka.sy_
2008-12-27 23:27 . 2008-12-27 23:27 13,915 --a------ c:\windows\system32\senekalrwocjii.dl_
2008-12-27 23:27 . 2008-12-29 12:19 59 --a------ c:\windows\system32\seneka.da_
2008-12-10 18:22 . 2008-12-10 18:21 410,976 --------- c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-30 19:34 --------- d-----w c:\program files\Google
2008-12-30 19:30 --------- d-----w c:\program files\Windows Live Toolbar
2008-12-28 08:28 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-18 06:43 --------- d-----w c:\program files\Lx_cats
2008-12-11 02:21 --------- d-----w c:\program files\Java
2008-12-01 07:25 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-09-04 23:41 88 --sh--r c:\windows\system32\1413022DC7.sys
2008-09-04 23:41 5,798 --sh--w c:\windows\system32\KGyGaAvL.sys
2008-05-05 06:43 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-08-20 18:27 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080 821\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"SpybotDeletingB423"="command" [X]
"SpybotDeletingD5002"="del" [X]
"SpybotDeletingB9256"="command" [X]
"SpybotDeletingD7675"="del" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-18 774233]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe" [2007-05-31 946176]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\M SConfig.exe" [2008-04-13 169984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-05-31 12:57 155648 c:\windows\system32\FpWinlogonNp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-13 18:06 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 13:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--------- 2008-11-30 19:48 1261336 c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--------- 2007-03-22 23:32 162584 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--------- 2007-03-22 23:32 138008 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--------- 2006-08-29 23:40 89542 c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"ThinkVantage Registry Monitor Service"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"PMSveH"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"lxcj_device"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IviRegMgr"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"Diskeeper"=2 (0x2)
"BcmSqlStartupSvc"=2 (0x2)
"avg8wd"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"<NO NAME>"=
"AMSG"=c:\program files\ThinkVantage\AMSG\Amsg.exe /startup
"Alcmtr"=ALCMTR.EXE
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"AwaySch"=c:\program files\Lenovo\AwayTask\AwaySch.EXE
"AzMixerSel"=c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe
"Corel Photo Downloader"=c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
"e02a7885"=rundll32.exe "c:\windows\system32\gtchkmtn.dll",b
"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\IS USPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"LPManager"=c:\progra~1\Lenovo\LENOVO~2\LPMGR. exe
"LXCJCATS"=rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtim e.dll,RunDLLEntry
"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe"
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
"Persistence"=c:\windows\system32\igfxpers.exe
"PMHandler"=c:\progra~1\Lenovo\PMDRIV~1\PMHandler. exe
"RTHDCPL"=RTHDCPL.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TPFNF7"=c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
"TPWAUDAP"=c:\program files\Lenovo\HOTKEY\TpWAudAp.exe
"TVT Scheduler Proxy"=c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\lxcjcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxcjpswx.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.s ys [2006-05-24 10240]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-05-04 11520]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-20 97928]
S1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\ IBMBLDID.sys [2008-05-04 4224]
S2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-06-22 106496]
S2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2007-05-10 54832]
S2 TVT Backup Protection Service;TVT Backup Protection Service;"c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe" [2007-02-08 569344]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2006-04-14 28933976]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-20 231704]
S4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
.
- - - - ORPHANS REMOVED - - - -
BHO-{E80E9499-20E5-4BDD-B529-9EC10784802B} - c:\windows\system32\efcYRhhG.dll

.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
c:\windows\Downloaded Program Files\PUFLITE.dll - O16 -: PUFLITE
hxxp://www.carolbuyerandlistingagent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
c:\windows\Downloaded Program Files\OSD1753.OSD
c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
hxxps://valuemanager.iasreo.com/BPO/ImageUploader5.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 18:56:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Owner=Administrator
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Owner=Administrator
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\Administrator\Software\Microsoft\Window s\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\Administrator\Software\Microsoft\Window s\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\Administrator_Classes\Software\Microsof t\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\Administrator_Classes\Software\Microsof t\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1236)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
- - - - - - - > 'lsass.exe'(1292)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
Completion time: 2009-01-01 18:59:22 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-01-02 02:59:20
Pre-Run: 89,357,021,184 bytes free
Post-Run: 89,375,309,824 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
265 --- E O F --- 2008-12-19 07:35:38
Fla_Panther is offline   Reply With Quote
Old 01-02-2009   #4
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,798
PC Experience: Elite PC Guru
Default Re: New infection, but not a newbie... lol
Ok.Nearly done..

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\seneka.sy_
c:\windows\system32\senekalrwocjii.dl_
c:\windows\system32\seneka.da_
c:\windows\system32\gtchkmtn.dll

Driver::
seneka.sy_

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"e02a7885"=-
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*
__________________
  • An Australian Member of
  • and
My real name is Eddy
Last edited by Pancake; 01-02-2009 at 12:40 AM.
Pancake is online now   Reply With Quote
Old 01-02-2009   #5
Bronze Member
 
Join Date: Dec 2008
Posts: 55
PC Experience: A+, CCNA
Default Re: New infection, but not a newbie... lol
Well, it got 3 of the 4 files. (I was again unable to get into Safe Mode without AVG starting, and I couldn't get rid of it.) Here's the logs:

ComboFix 08-12-31.01 - Administrator 2009-01-02 12:19:00.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.796 [GMT -8:00]
Running from: e:\virus removal folder\ComboFix.exe
Command switches used :: e:\virus removal folder\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FILE ::
c:\windows\system32\drivers\seneka.sy_
c:\windows\system32\gtchkmtn.dll
c:\windows\system32\seneka.da_
c:\windows\system32\senekalrwocjii.dl_
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\seneka.sy_
c:\windows\system32\seneka.da_
c:\windows\system32\senekalrwocjii.dl_
.
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.
2008-12-31 12:45 . 2007-01-18 04:00 3,968 --a------ c:\windows\system32\drivers\AvgArCln.sys
2008-12-31 11:59 . 2008-12-31 12:34 <DIR> d-------- C:\6bde1e822f06d275ffeb13da
2008-12-31 11:20 . 2008-12-31 11:55 <DIR> d-------- C:\1a2c31809e0d79b2f05c0b
2008-12-30 12:30 . 2008-12-30 12:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 12:30 . 2008-12-30 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 12:30 . 2008-12-30 12:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-30 12:30 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 12:30 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-29 14:11 . 2008-12-29 14:11 <DIR> d-------- C:\VundoFix Backups
2008-12-29 13:52 . 2008-12-29 13:59 149 --a------ c:\windows\wininit.ini
2008-12-29 12:03 . 2008-12-29 12:03 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-29 12:03 . 2008-12-29 12:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-29 12:01 . 2008-12-29 12:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-29 11:59 . 2008-12-29 11:59 <DIR> d-------- c:\program files\CCleaner
2008-12-29 11:54 . 2008-12-29 11:54 <DIR> d-------- c:\program files\Trend Micro
2008-12-10 18:22 . 2008-12-10 18:21 410,976 --------- c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-30 19:34 --------- d-----w c:\program files\Google
2008-12-30 19:30 --------- d-----w c:\program files\Windows Live Toolbar
2008-12-28 08:28 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-18 06:43 --------- d-----w c:\program files\Lx_cats
2008-12-11 02:21 --------- d-----w c:\program files\Java
2008-12-01 07:25 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-09-04 23:41 88 --sh--r c:\windows\system32\1413022DC7.sys
2008-09-04 23:41 5,798 --sh--w c:\windows\system32\KGyGaAvL.sys
2008-05-05 06:43 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-08-20 18:27 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080 821\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-01_18.58.34.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-02 02:54:45 80,710 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-02 03:00:33 80,710 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-02 02:54:45 450,676 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-02 03:00:33 450,676 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"SpybotDeletingB423"="command" [X]
"SpybotDeletingD5002"="del" [X]
"SpybotDeletingB9256"="command" [X]
"SpybotDeletingD7675"="del" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-18 774233]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe" [2007-05-31 946176]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\M SConfig.exe" [2008-04-13 169984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-05-31 12:57 155648 c:\windows\system32\FpWinlogonNp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-13 18:06 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 13:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--------- 2008-11-30 19:48 1261336 c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--------- 2007-03-22 23:32 162584 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--------- 2007-03-22 23:32 138008 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--------- 2006-08-29 23:40 89542 c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"ThinkVantage Registry Monitor Service"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"PMSveH"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"lxcj_device"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IviRegMgr"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"Diskeeper"=2 (0x2)
"BcmSqlStartupSvc"=2 (0x2)
"avg8wd"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"<NO NAME>"=
"AMSG"=c:\program files\ThinkVantage\AMSG\Amsg.exe /startup
"Alcmtr"=ALCMTR.EXE
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"AwaySch"=c:\program files\Lenovo\AwayTask\AwaySch.EXE
"AzMixerSel"=c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe
"Corel Photo Downloader"=c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
"e02a7885"=rundll32.exe "c:\windows\system32\gtchkmtn.dll",b
"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\IS USPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"LPManager"=c:\progra~1\Lenovo\LENOVO~2\LPMGR. exe
"LXCJCATS"=rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtim e.dll,RunDLLEntry
"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe"
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
"Persistence"=c:\windows\system32\igfxpers.exe
"PMHandler"=c:\progra~1\Lenovo\PMDRIV~1\PMHandler. exe
"RTHDCPL"=RTHDCPL.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TPFNF7"=c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
"TPWAUDAP"=c:\program files\Lenovo\HOTKEY\TpWAudAp.exe
"TVT Scheduler Proxy"=c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\lxcjcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxcjpswx.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.s ys [2006-05-24 10240]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-05-04 11520]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-20 97928]
S1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\ IBMBLDID.sys [2008-05-04 4224]
S2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-06-22 106496]
S2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2007-05-10 54832]
S2 TVT Backup Protection Service;TVT Backup Protection Service;"c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe" [2007-02-08 569344]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2006-04-14 28933976]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-20 231704]
S4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
c:\windows\Downloaded Program Files\PUFLITE.dll - O16 -: PUFLITE
hxxp://www.carolbuyerandlistingagent.com/Office/ColpaControls/Photo/Control/PUFLITE.CAB
c:\windows\Downloaded Program Files\OSD1753.OSD
c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
hxxps://valuemanager.iasreo.com/BPO/ImageUploader5.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 12:23:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Owner=Administrator
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Owner=Administrator
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\Administrator\Software\Microsoft\Window s\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\Administrator\Software\Microsoft\Window s\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\Administrator_Classes\Software\Microsof t\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\Administrator_Classes\Software\Microsof t\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NU LL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL L*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s *NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e* NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e *NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1244)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
- - - - - - - > 'lsass.exe'(1300)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
Completion time: 2009-01-02 12:25:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 20:25:32
ComboFix2.txt 2009-01-02 02:59:23
Pre-Run: 89,396,764,672 bytes free
Post-Run: 89,379,966,976 bytes free
265 --- E O F --- 2008-12-19 07:35:38



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:19 PM, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\FpLogonServ.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Live Search:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Live Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Live Search:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E80E9499-20E5-4BDD-B529-9EC10784802B} - C:\WINDOWS\system32\efcYRhhG.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PUFLITE - http://www.carolbuyerandlistingagent...ol/PUFLITE.CAB
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - https://valuemanager.iasreo.com/BPO/ImageUploader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
--
End of file - 9463 bytes
Fla_Panther is offline   Reply With Quote
Old 01-02-2009   #6
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,798
PC Experience: Elite PC Guru
Default Re: New infection, but not a newbie... lol
That looks ok.You should be fine now..

This will clear away any of the files and folders that were created by ComboFix.
Go to :
Start > Run then copy and paste the following highlighted text below into the box and click OK.

ComboFix /u
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is online now   Reply With Quote
Old 01-04-2009   #7
Bronze Member
 
Join Date: Dec 2008
Posts: 55
PC Experience: A+, CCNA
Default Re: New infection, but not a newbie... lol
Hmm. You sure? I just google'd "gtchkmtn.dll" (the 4th file that wasn't deleted), and absolutely NOTHING came up... zero results. I'm thinking it might be a random file name created by one of the viruses that she had on this laptop. I guess I'll boot up into regular mode and use it for my surfing today and see if I get any popups... I'll post back tomorrow and let you know if anything odd happens... thanks for the help
Fla_Panther is offline   Reply With Quote

Reply
Page 1 of 2 1 2

Bookmarks

Tags
fixed, Fixed:, infection, lol, newbie
Similar discussions...
Thread Thread Starter Forum Replies Last Post
Newbie! BTpuppy Introduce Yourself 6 12-15-2008 11:46 AM
NeWbIe littleredgmc Introduce Yourself 1 12-08-2008 02:59 PM
Fixed: Newbie. Please help! TollMan510 [Fixed] Hijackthis! Logs 7 04-30-2008 11:50 PM
please help this newbie!!! fufu29 Unfinished Threads 11 04-13-2007 01:06 PM
Newbie twl845 Introduce Yourself 8 01-24-2007 04:34 PM

« HJT Log for zustuas problem | Hello experts and community! Help is needed! »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On


Site Map - Top

All times are GMT. The time now is 05:24 AM.
Powered by vBulletin
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2