Virtumonde problem

Scan results.......

Hi,

Here's the results :-

Scan taken on 05 Aug 2007 09:48:13 (GMT)

A-Squared Found nothing
AntiVir Found HEUR/Malware
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Win32/PEPatch
BitDefender Found Win32.Cuter.A
ClamAV Found W32.Cuter
CPsecure Found nothing
Dr.Web Found Trojan.Inject.351
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Virus.Win32.Agent.ab
Fortinet Found nothing
Kaspersky Anti-Virus Found Virus.Win32.Agent.ab
NOD32 Found Win32/Agent.AB
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found Virus.Win32.Agent.b
Sophos Antivirus Found nothing
VirusBuster Found Trojan.Patched.S
VBA32 Found nothing
 
Hi

Glad to know that these are bad.

C:\WINDOWS\system32\igfxtray.exe Infected: Virus.Win32.Agent.ab skipped
C:\WINDOWS\system32\hkcmd.exe Infected: Virus.Win32.Agent.ab skipped
C:\WINDOWS\system32\igfxpers.exe Infected: Virus.Win32.Agent.ab skipped
C:\WINDOWS\system32\NeroCheck.exe Infected: Virus.Win32.Agent.ab skipped
C:\Program Files\Analog Devices\Core\smax4pnp.exe Infected: Virus.Win32.Agent.ab skipped
C:\Program Files\Lenovo\Lenovo Keyboard Driver\ctl_center.exe Infected: Virus.Win32.Agent.ab skipped

Boot in safe mode

Delete these:

C:\Program Files\Lenovo\Lenovo Keyboard Driver\ctl_center.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\NeroCheck.exe

Empty Recycle Bin

Reboot.

You may need to re-install Lenovo Keyboard Driver after that and maybe also graphic card drivers (malware has replaced all those files above with own versions).

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
Kaspersky & HJT logs

Kaspersky log..............

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 05, 2007 5:54:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 5/08/2007
Kaspersky Anti-Virus database records: 373211
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 48843
Number of viruses found: 13
Number of infected objects: 33
Number of suspicious objects: 0
Duration of the scan process: 00:31:29

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J8YV451B\upgrade[1].cab/upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J8YV451B\upgrade[1].cab/upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J8YV451B\upgrade[1].cab/upgrade.exe Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J8YV451B\upgrade[1].cab CAB: infected - 3 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lenovo\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lenovo\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lenovo\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lenovo\Local Settings\History\History.IE5\MSHist012007080520070806\index.dat Object is locked skipped
C:\Documents and Settings\Lenovo\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lenovo\Local Settings\Temporary Internet Files\PhishingFilter\45E13EC5-3DB7-4B3D-9F80-073A58AB5E82.dat Object is locked skipped
C:\Documents and Settings\Lenovo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lenovo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lenovo\Local Settings\Temp\~DF5EC5.tmp Object is locked skipped
C:\Documents and Settings\Lenovo\Local Settings\Temp\~DFBAD4.tmp Object is locked skipped
C:\Documents and Settings\Lenovo\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lenovo\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Program Files\Common Files\SPC500NC\Mionet\install.exe/cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Program Files\Common Files\SPC500NC\Mionet\install.exe CreateInstall: infected - 1 skipped
C:\Program Files\Opera 9\mail\mailbase.dat Object is locked skipped
C:\Program Files\Opera 9\mail\lexicon\lexicon.dat Object is locked skipped
C:\Program Files\Opera 9\mail\indexer\indexer.dat Object is locked skipped
C:\Program Files\PeerGuardian2\history.db Object is locked skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP10\A0000609.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP16\A0001584.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP22\A0002046.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP22\A0002046.exe/WISE0017.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP22\A0002046.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP22\A0002046.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP22\A0002046.exe WiseSFX Dropper: infected - 3 skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP22\A0002074.dll Infected: not-a-virus:AdWare.Win32.RK.k skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP27\A0002622.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP27\A0002623.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP43\A0005102.EXE Infected: Virus.Win32.Agent.ab skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP43\A0005127.rbf Infected: Virus.Win32.Agent.ab skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP55\A0006241.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP56\A0006436.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP57\A0006659.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP57\A0006660.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP57\A0006664.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP57\A0006725.dll Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP58\A0006809.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP59\A0006979.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP59\A0006981.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP59\A0007065.exe Infected: Virus.Win32.Agent.ab skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP59\A0007066.exe Infected: Virus.Win32.Agent.ab skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP59\A0007067.exe Infected: Virus.Win32.Agent.ab skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP59\A0007068.exe Infected: Virus.Win32.Agent.ab skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP59\A0007069.exe Infected: Virus.Win32.Agent.ab skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP59\A0007070.exe Infected: Virus.Win32.Agent.ab skipped
C:\System Volume Information\_restore{38625996-AB61-4C90-9C22-AAD2EFC491EA}\RP59\change.log Object is locked skipped
C:\log.html Object is locked skipped

Scan process completed.

---------------------------------------------------

HJT log...........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:29 PM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\LHotkey.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\VPro500.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera 9\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.th/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [LHotkey] LHotkey.exe
O4 - HKLM\..\Run: [Lcc1] C:\Program Files\Lenovo\Lenovo Keyboard Driver\ctl_center.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinampAgent.lnk = C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: VPro500.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?2fc3e251bb604547bedb90cbef8ff57f
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?2fc3e251bb604547bedb90cbef8ff57f
O9 - Extra button: LENOVO - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.lenovo.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D7B054A-3D10-44D2-970B-628956F8EF6F}: NameServer = 202.69.137.137,202.69.137.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D7B054A-3D10-44D2-970B-628956F8EF6F}: NameServer = 202.69.137.137,202.69.137.138
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 8417 bytes
 
Hi

Did you replace those files with original copies?

You may want look if these folders exist:

C:\WINDOWS\system32\bak
C:\Program Files\Analog Devices\Core\bak
C:\Program Files\Lenovo\Lenovo Keyboard Driver\bak

There might be clean copies of those files.

If there are, copy them to main folder.

Empty this folder:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\

Empty Recycle Bin

Still problems?
 
A question.......

Sorry Shaba you've lost me.

I booted in Safe mode, deleted the files you mentioned, emptied Recycle Bin, rebooted. Then done scans you asked for. Haven't needed to reinstall any drivers.

Do you want me to action your last post ??
 
Hi

Yes, please check if there are these folders:

C:\WINDOWS\system32\bak
C:\Program Files\Analog Devices\Core\bak
C:\Program Files\Lenovo\Lenovo Keyboard Driver\bak

And empty this folder:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\

And then post back :)

Some info about these in case you need those exes:

C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe

http://www.liutilities.com/products/wintaskspro/processlibrary/igfxtray/
http://www.liutilities.com/products/wintaskspro/processlibrary/hkcmd/
http://www.liutilities.com/products/wintaskspro/processlibrary/igfxpers/
 
Hi Shaba,

Those 3 folders don't exist.

Emptied "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\" but couldn't delete "index.dat" - in use by another program.

What's the state of play now ??
 
Fixed.

Ran SpyBot - No problems found.

Thanks very much for all the help Shaba that was some effort. Much appreciated.

Can I ask a question ?

I have a router with firewall enabled. However the following options are disabled. Should I enable everything ??


Firewall Configuration
DoS Protection
DoS attacks can be checked based on your specific need.

State: Enabled Disabled
SYN Flooding checking
ICMP Redirection checking

Port Scan Protection
Port Scan attacks can be checked based on your specific need.
State: Enabled Disabled
FIN/URG/PSH attack
Xmas Tree attack
Null Scan attack
SYN/RST attack
SYN/FIN attack

Service Filtering
The following services can be blocked based on your specific need.
All unblocked
Ping from External Network
Telnet from External Network
FTP from External Network
DNS from External Network
IKE from External Network
RIP from External Network
DHCP from External Network
ICMP from LAN

Is there any need for a software firewall ??

Thanks
 
Hi

I'd enable these:

DoS Protection
Port Scan Protection

Rest are up to you.

Software firewall is still always good to have, see below for my suggestions:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Any other issues? :)
 
Thanks very much

Hi Shaba.

OK. Have downloaded and installed Comodo. (Zonealarm doesn't like Norton Antivirus).

Well done & thanks again for all the help.

Hopefully I'm sorted.
 
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
 
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top