DrGiggles
2006-12-10, 18:58
HJT log below, active scan log in next post:
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 12:51:41 PM, on 12/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TpShocks.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\DOCUME~1\MICHAE~1\MYDOCU~1\FNTS~1\spool32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HighCriteria\TotalRecorder\TotalRecorder.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\s?stem\j?vaw.exe
C:\hijackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - {BEB8AB40-61A0-350E-D22A-6B73134E02C9} - C:\WINDOWS\System32\qot.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BEB8AB40-61A0-350E-D22A-6B73134E02C9} - C:\WINDOWS\System32\qot.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Uahe] "C:\DOCUME~1\MICHAE~1\MYDOCU~1\FNTS~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Lumgrthp] C:\WINDOWS\system32\s?stem\j?vaw.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.astonmartin.com/configurator/v8vantage_load.html
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ospraie.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.ospraie.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ospraie.com
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
Incident Status Location
DrGiggles
2006-12-10, 19:00
Adware:Adware/PurityScan Not disinfected c:\docume~\michae~1\mydocu~\fnts~\spool32.exe
Virus:Trj/Lowzones.SY Disinfected Operating system
Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Spyware:spyware/bundleware Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/navhelper Not disinfected Windows Registry
Adware:adware/wintools Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@2o7[1].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@64.62.232[4].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@adopt.hbmediapro[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@advertising[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@belnk[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@burstnet[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@c.enhance[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@casalemedia[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@cgi-bin[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@com[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@ct.360i[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@dist.belnk[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@ehg-dig.hitbox[2].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@errorguard[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@go[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@rightmedia[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@serving-sys[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@www.burstbeacon[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\mcho\Cookies\mcho@xiti[1].txt
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Michael Cho\.jpi_cache\file\1.0\Counter.class-4f780aa4-7da1291d.class
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Michael Cho\.jpi_cache\file\1.0\Gummy.class-421ef8d3-533b7ae6.class
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@adultfriendfinder[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@anm.co[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@atwola[2].txt
DrGiggles
2006-12-10, 19:01
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@burstnet[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@com[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@drivecleaner[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@entrepreneur[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@hitbox[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@ig.com[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@searchportal.information[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@stats1.reliablestats[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@tucows[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@www.burstbeacon[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@www.drivecleaner[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@www.winantivirus[1].txt
Adware:Adware/YazzleSudoku Not disinfected C:\Documents and Settings\Michael Cho\Local Settings\Temp\b116.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Michael Cho\Local Settings\Temp\b122.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Michael Cho\Local Settings\Temp\nsfA.tmp\nsProcess.dll
Adware:Adware/NavHelper Not disinfected C:\Documents and Settings\Michael Cho\Local Settings\Temp\temp.fr8FA0\NavHelper\v2.0.4c\NHelper.dll
Adware:Adware/NavHelper Not disinfected C:\Documents and Settings\Michael Cho\Local Settings\Temp\temp.fr8FA0\NavHelper\v2.0.4c\NHUninstaller.exe
Adware:Adware/NavHelper Not disinfected C:\Documents and Settings\Michael Cho\Local Settings\Temp\temp.fr8FA0\NavHelper\v2.0.4c\NHUpdater.exe
Adware:Adware/NavHelper Not disinfected C:\Documents and Settings\Michael Cho\Local Settings\Temp\temp.fr8FA0\NavHelper\v2.0.4c\v2.0.4c.c.cab
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\Michael Cho\Local Settings\Temporary Internet Files\Content.IE5\9NFJDT8E\122[1].net
Adware:Adware/YazzleSudoku Not disinfected C:\Documents and Settings\Michael Cho\Local Settings\Temporary Internet Files\Content.IE5\KRTV26JD\116[1].net
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Michael Cho\My Documents\F?nts\spool32.exe
Possible Virus. Not disinfected C:\IBMTOOLS\DRIVERS\HOTKEY\TPISETUP.DLL
Possible Virus. Not disinfected C:\IBMTOOLS\DRIVERS\PKGMGR\TPISETUP.DLL
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Adware:Adware/YazzleSudoku Not disinfected C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\DIGStream\digstream.exe
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
Possible Virus. Not disinfected C:\Program Files\ThinkPad\PkgMgr\TpiSetup.dll
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Virus:Trj/Lowzones.SY Disinfected C:\Program Files\Winamp\winampa.exe
Hacktool:HackTool/EvID4226 Not disinfected C:\temp2\EvID4226Patch212-en\EvID4226Patch.exe
Hacktool:HackTool/EvID4226 Not disinfected C:\temp2\EvID4226Patch212-en.zip[EvID4226Patch.exe]
pskelley
2006-12-11, 13:37
Welcome to the forum, please follow these instructions:
1) Start > Control Panel > Add Remove programs and uninstall ipwins, PuritySCAN By OIN, OIN or OuterInfo, and anything other program you know does not belong there. If you do not see any of that junk, try this uninstaller:
http://www.outerinfo.com/howto.html
2) Thanks to sUBs and anyone who helped with this fix.
1. Download ComboFix.exe using either of these links:
* bleepingcomputer.com
http://download.bleepingcomputer.com/sUBs/combofix.exe
* techsupportforum.com
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall If the log is large You might need to post half in one reply half in another.
Thanks
DrGiggles
2006-12-12, 13:11
Thanks pskelley!
uninstalled a few programs that looked sketchy incl outerinfo. combofix log below:
mdc - 06-12-12 7:06:52.90 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Michael Cho\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\{3409A215-063A-1033-0618-040405130001}
C:\Program Files\Common Files\{5409A215-063A-1033-0618-040405130001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Michael Cho\Application Data\RACLE~1
C:\QooBox\Purity\Documents and Settings\Michael Cho\My Documents\FNTS~1
C:\QooBox\Purity\Documents and Settings\Michael Cho\My Documents\STEM32~1
C:\QooBox\Purity\Program Files\Common Files\DOBE~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\SSTEM~1
((((((((((((((((((((((((((((((( Files Created from 2006-11-12 to 2006-12-12 ))))))))))))))))))))))))))))))))))
2006-12-10 18:48 <DIR> d-------- C:\Program Files\Common Files\Lenovo
2006-12-10 18:47 <DIR> d--hs---- C:\Config.Msi
2006-12-10 18:02 <DIR> dr-h----- C:\Documents and Settings\Michael Cho\Recent
2006-12-10 12:50 <DIR> d-------- C:\hijackthis
2006-12-09 00:37 166,912 --a------ C:\WINDOWS\lame_enc.dll
2006-12-08 19:48 54,272 --a------ C:\WINDOWS\system32\DrvTrNTm.dll
2006-12-08 19:48 106,496 --a------ C:\WINDOWS\system32\DrvTrNTl.dll
2006-12-08 19:48 <DIR> d-------- C:\Program Files\HighCriteria
2006-12-07 23:36 <DIR> d-------- C:\WINDOWS\system32\(null)
2006-12-07 20:54 <DIR> d-------- C:\WINDOWS\system32\save$$updater
2006-12-07 20:54 <DIR> d-------- C:\Program Files\Lenovo
2006-12-05 00:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-05 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-04 23:43 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-03 16:15 2 --a------ C:\WINDOWS\system32\wintsvtr.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-12 07:08 -------- d-------- C:\Program Files\Common Files
2006-12-12 06:59 -------- d-------- C:\Program Files\Uninstall Information
2006-12-12 06:59 -------- d-------- C:\Program Files\StreamboxVcrSuite2
2006-12-12 06:59 -------- d-------- C:\Program Files\Outlook Express
2006-12-12 06:59 -------- d-------- C:\Program Files\Internet Explorer
2006-12-12 06:59 -------- d-------- C:\Program Files\Common Files\System
2006-12-12 06:57 -------- d-------- C:\Program Files\InstallShield Installation Information
2006-12-10 15:27 -------- d-------- C:\Documents and Settings\Michael Cho\Application Data\Azureus
2006-12-07 20:55 -------- d---s---- C:\Documents and Settings\Michael Cho\Application Data\Microsoft
2006-12-05 00:52 -------- d-------- C:\Program Files\WinRAR
2006-12-05 00:52 -------- d-------- C:\Program Files\Winamp
2006-12-05 00:50 -------- d-------- C:\Program Files\Messenger
2006-12-05 00:48 -------- d-------- C:\Program Files\Google
2006-12-05 00:48 -------- d-------- C:\Program Files\DIGStream
2006-12-05 00:07 -------- d-------- C:\Program Files\QuickTime
2006-12-05 00:07 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-12-05 00:07 -------- d-------- C:\Program Files\Microsoft IntelliPoint
2006-12-05 00:07 -------- d-------- C:\Program Files\iTunes
2006-12-04 23:43 -------- d-------- C:\Documents and Settings\Michael Cho\Application Data\Lavasoft
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"IBM RecordNow!"=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"tgcmd"=""
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"TpShocks"="TpShocks.exe"
"TP4EX"="tp4ex.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ATIModeChange"="Ati2mdxx.exe"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
@=""
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\\\ibmmessages.exe"
"TotalRecorderScheduler"="\"C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe\""
"TVT Scheduler Proxy"="C:\\Program Files\\Common Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,18,01,00,00,00,00,00,00,60,04,00,00,fc,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\BMMTask.job
Completion time: 06-12-12 7:08:25.77
C:\ComboFix.txt ... 06-12-12 07:08
DrGiggles
2006-12-12, 13:14
Logfile of HijackThis v1.99.1
Scan saved at 7:12:55 AM, on 12/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TpShocks.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.astonmartin.com/configurator/v8vantage_load.html
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ospraie.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.ospraie.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ospraie.com
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
thanks again!
pskelley
2006-12-12, 13:52
How's that computer running now? I am showing this item is a componant of PurityScan: C:\WINDOWS\system32\wintsvtr.exe Would you use one or more of these free online scans to check the file and then delete it if it scans bad.
You may need hidden files and folders showing to see it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...tage_load.html
O20 - AppInit_DLLs:
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Let me know how things are running before I close you.
Thanks
DrGiggles
2006-12-13, 03:45
if its not cured, it looks to be in remission. thanks so much for your help. you rock!
pskelley
2006-12-13, 11:18
Thanks for the feedback, please do this now:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Safe surfing...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley
2006-12-16, 22:08
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.