cgerber1356
asked on
TROJ_SMALL.INV causeing BSOD
I have a windows xp box that has at least two viruses Trend Micro reports ADW_ULTIMATEDEZ and TROJ_SMALL.INV it reports that the files are deleted but every reboot they show up again. computer gets a bsod shortly after Trend Micro gives its report. I am running XP SP2. below is the hijackthis log file. Please help
Logfile of HijackThis v1.99.1
Scan saved at 6:34:43 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\nslsvi
C:\WINDOWS\system32\ibmpms
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\S24EvM
C:\WINDOWS\system32\spools
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\BigFix Enterprise\BES Client\BesClient.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\_svcho
C:\Program Files\lotus\notes\ntmulti.
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINDOWS\system32\RegSrv
C:\Program Files\SpywareDetector\SDSe
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEX
C:\WINDOWS\system32\TpKmpS
C:\Program Files\Common Files\Lenovo\Scheduler\tvt
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\RealVNC\WinVNC.EXE
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\GU9F50.EXE
C:\WINDOWS\system32\acs.ex
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\PROGRA~1\ThinkPad\UTILI
C:\WINDOWS\system32\TpShoc
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Common Files\Lenovo\Scheduler\sch
C:\Program Files\Lenovo\HOTKEY\TPOSDS
C:\WINDOWS\system32\RunDll
C:\WINDOWS\system32\rundll
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\system32\_svcho
C:\WINDOWS\vmmreg32.exe
C:\WINDOWS\system32\rundll
C:\Program Files\SecCenter\scprot4.ex
C:\Program Files\Mwfjoete\wuhtsizo.ex
C:\WINDOWS\tsitra801.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\SpywareDetector\SDSy
C:\Program Files\Lenovo\HOTKEY\TPONSC
C:\Program Files\Lenovo\Zoom\TpScrex.
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PrintKey2000\Printke
C:\WINDOWS\system32\wbem\c
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pcsetup\Desktop\A
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {48291E74-0979-EB5A-3A45-0
O2 - BHO: Her - {971D5B7B-F7DF-43ee-B771-6
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [e360SysTray] C:\Program Files\Fiberlink\Extend360\
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bi
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\sch
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDS
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\T
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\B
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [ACTRAY] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [ACWLICON] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\system32\_svcho
O4 - HKLM\..\Run: [Intel] C:\WINDOWS\vmmreg32.exe
O4 - HKLM\..\Run: [dexidepm] rundll32.exe "C:\Program Files\dexidepm\xorevsbe.dl
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.ex
O4 - HKLM\..\Run: [wuhtsizo] C:\Program Files\Mwfjoete\wuhtsizo.ex
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra801.exe 61A847B5BBF7281A329A284503
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSy
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\Live
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\c
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printke
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {00134F72-5284-44F7-95A8-5
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {2DAD3559-2923-4935-AD49-B
O16 - DPF: {35C3D91E-401A-4E45-88A5-F
O16 - DPF: {3BFFE033-BF43-11D5-A271-0
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {74FFE28D-2378-11D5-990C-0
O20 - AppInit_DLLs: taskkill.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANot
O20 - Winlogon Notify: psfus - C:\WINDOWS\system32\psqlpw
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNo
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O21 - SSODL: dDmkZaW - {F8D7B04C-527D-1AE6-C8D7-3
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.ex
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\
O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BesClient.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Fiberlinkcomm Wireless Engine - Unknown owner - C:\Program Files\Fiberlink\Extend360\
O23 - Service: Fiberlinkcomm WMonitor - Boingo Wireless, Inc. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpms
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvi
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\system32\_svcho
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrv
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvM
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDSe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpS
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvt
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe
O23 - Service: Virtual Network Computing (WinVNC) - Unknown owner - C:\Program Files\RealVNC\WinVNC.EXE" -service (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 6:34:43 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\nslsvi
C:\WINDOWS\system32\ibmpms
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\S24EvM
C:\WINDOWS\system32\spools
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\BigFix Enterprise\BES Client\BesClient.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\_svcho
C:\Program Files\lotus\notes\ntmulti.
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINDOWS\system32\RegSrv
C:\Program Files\SpywareDetector\SDSe
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEX
C:\WINDOWS\system32\TpKmpS
C:\Program Files\Common Files\Lenovo\Scheduler\tvt
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\RealVNC\WinVNC.EXE
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\GU9F50.EXE
C:\WINDOWS\system32\acs.ex
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\PROGRA~1\ThinkPad\UTILI
C:\WINDOWS\system32\TpShoc
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Common Files\Lenovo\Scheduler\sch
C:\Program Files\Lenovo\HOTKEY\TPOSDS
C:\WINDOWS\system32\RunDll
C:\WINDOWS\system32\rundll
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\system32\_svcho
C:\WINDOWS\vmmreg32.exe
C:\WINDOWS\system32\rundll
C:\Program Files\SecCenter\scprot4.ex
C:\Program Files\Mwfjoete\wuhtsizo.ex
C:\WINDOWS\tsitra801.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\SpywareDetector\SDSy
C:\Program Files\Lenovo\HOTKEY\TPONSC
C:\Program Files\Lenovo\Zoom\TpScrex.
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PrintKey2000\Printke
C:\WINDOWS\system32\wbem\c
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pcsetup\Desktop\A
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {48291E74-0979-EB5A-3A45-0
O2 - BHO: Her - {971D5B7B-F7DF-43ee-B771-6
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [e360SysTray] C:\Program Files\Fiberlink\Extend360\
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bi
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\sch
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDS
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\T
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\B
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [ACTRAY] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [ACWLICON] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\system32\_svcho
O4 - HKLM\..\Run: [Intel] C:\WINDOWS\vmmreg32.exe
O4 - HKLM\..\Run: [dexidepm] rundll32.exe "C:\Program Files\dexidepm\xorevsbe.dl
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.ex
O4 - HKLM\..\Run: [wuhtsizo] C:\Program Files\Mwfjoete\wuhtsizo.ex
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra801.exe 61A847B5BBF7281A329A284503
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSy
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\Live
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\c
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printke
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {00134F72-5284-44F7-95A8-5
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {2DAD3559-2923-4935-AD49-B
O16 - DPF: {35C3D91E-401A-4E45-88A5-F
O16 - DPF: {3BFFE033-BF43-11D5-A271-0
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {74FFE28D-2378-11D5-990C-0
O20 - AppInit_DLLs: taskkill.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANot
O20 - Winlogon Notify: psfus - C:\WINDOWS\system32\psqlpw
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNo
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O21 - SSODL: dDmkZaW - {F8D7B04C-527D-1AE6-C8D7-3
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.ex
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\
O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BesClient.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Fiberlinkcomm Wireless Engine - Unknown owner - C:\Program Files\Fiberlink\Extend360\
O23 - Service: Fiberlinkcomm WMonitor - Boingo Wireless, Inc. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpms
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvi
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\system32\_svcho
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrv
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvM
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDSe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpS
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvt
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe
O23 - Service: Virtual Network Computing (WinVNC) - Unknown owner - C:\Program Files\RealVNC\WinVNC.EXE" -service (file missing)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not sure if the tool has been updated recently, but you can also try running it.
Download WinKRootKitRemover to your desktop.
http://secured2k.home.comcast.net/tools/WinKRootKitRemover.exe
Double-click the icon to open the program
Then, click RUN and then START
Save the log it creates to your desktop.
Follow the prompts and reboot when necessary (your system will reboot twice; this is normal).
When the tool is finished, please post the contents of the log here along with a new HijackThis log please.
Download WinKRootKitRemover to your desktop.
http://secured2k.home.comcast.net/tools/WinKRootKitRemover.exe
Double-click the icon to open the program
Then, click RUN and then START
Save the log it creates to your desktop.
Follow the prompts and reboot when necessary (your system will reboot twice; this is normal).
When the tool is finished, please post the contents of the log here along with a new HijackThis log please.
ASKER
IndiGenus,
I am running antivirus "Trend Micro's Officescan" (how good it is I can't say but alo this is not of my choice). I ran ComboFix and my bsod went away but Officescan still found 4 virus after reboot
2 "ADW_ULTIMATEDEZ"
2 "TROJ_SMALL.INV"
rpggamergirl,
I had no restorepoints prior to running ComboFix.Removed bad folders, fixed proplem you instructed, don't know what do do about the bad files. I didn't run Prevx2 (they want $24 and I dont feel comtfull useing my credit card on this infeted computer), I ran Superantispyware and fixed all problems it foound. then ran WinKRootKITRemover.exe which couldnt find the service to remove. When I ran hijackthis for a log there were 20 more 02-BHO-(no name)-{ } which I fixed and restarted. How can I tell that my computer is clean?
below are last log files
WinKRootKit.txt
10/07/2007, 13:44:53 - Starting Process
10/07/2007, 13:44:53 - Could not detect the service installed. Nothing else to do!
Logfile of HijackThis v1.99.1
Scan saved at 14:20, on 2007-10-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\nslsvi
C:\WINDOWS\system32\ibmpms
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\S24EvM
C:\WINDOWS\system32\spools
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\BigFix Enterprise\BES Client\BesClient.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINDOWS\system32\RegSrv
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEX
C:\WINDOWS\system32\TpKmpS
C:\Program Files\Common Files\Lenovo\Scheduler\tvt
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\RealVNC\WinVNC.EXE
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JND4AE.EXE
C:\WINDOWS\system32\acs.ex
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\PROGRA~1\ThinkPad\UTILI
C:\WINDOWS\system32\TpShoc
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Lenovo\Scheduler\sch
C:\Program Files\Lenovo\HOTKEY\TPOSDS
C:\WINDOWS\system32\RunDll
C:\WINDOWS\system32\rundll
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\system32\rundll
C:\Program Files\Vrnwlwzd\lsgcsjhh.ex
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PrintKey2000\Printke
C:\Program Files\Lenovo\HOTKEY\TPONSC
C:\Program Files\Lenovo\Zoom\TpScrex.
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pcsetup\Desktop\A
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [e360SysTray] C:\Program Files\Fiberlink\Extend360\
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bi
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\sch
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDS
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\T
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\B
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [ACTRAY] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [ACWLICON] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [cpuhirch] rundll32.exe "C:\Program Files\cpuhirch\ormvspal.dl
O4 - HKLM\..\Run: [lsgcsjhh] C:\Program Files\Vrnwlwzd\lsgcsjhh.ex
O4 - HKLM\..\Run: [gvhtjhkp] C:\Program Files\Lmhdcsyz\gvhtjhkp.ex
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printke
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {00134F72-5284-44F7-95A8-5
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {2DAD3559-2923-4935-AD49-B
O16 - DPF: {35C3D91E-401A-4E45-88A5-F
O16 - DPF: {3BFFE033-BF43-11D5-A271-0
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {74FFE28D-2378-11D5-990C-0
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANot
O20 - Winlogon Notify: psfus - C:\WINDOWS\system32\psqlpw
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.ex
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\
O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BesClient.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Fiberlinkcomm Wireless Engine - Unknown owner - C:\Program Files\Fiberlink\Extend360\
O23 - Service: Fiberlinkcomm WMonitor - Boingo Wireless, Inc. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpms
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvi
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrv
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvM
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpS
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvt
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe
O23 - Service: Virtual Network Computing (WinVNC) - Unknown owner - C:\Program Files\RealVNC\WinVNC.EXE" -service (file missing)
I am running antivirus "Trend Micro's Officescan" (how good it is I can't say but alo this is not of my choice). I ran ComboFix and my bsod went away but Officescan still found 4 virus after reboot
2 "ADW_ULTIMATEDEZ"
2 "TROJ_SMALL.INV"
rpggamergirl,
I had no restorepoints prior to running ComboFix.Removed bad folders, fixed proplem you instructed, don't know what do do about the bad files. I didn't run Prevx2 (they want $24 and I dont feel comtfull useing my credit card on this infeted computer), I ran Superantispyware and fixed all problems it foound. then ran WinKRootKITRemover.exe which couldnt find the service to remove. When I ran hijackthis for a log there were 20 more 02-BHO-(no name)-{ } which I fixed and restarted. How can I tell that my computer is clean?
below are last log files
WinKRootKit.txt
10/07/2007, 13:44:53 - Starting Process
10/07/2007, 13:44:53 - Could not detect the service installed. Nothing else to do!
Logfile of HijackThis v1.99.1
Scan saved at 14:20, on 2007-10-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\nslsvi
C:\WINDOWS\system32\ibmpms
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\S24EvM
C:\WINDOWS\system32\spools
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\BigFix Enterprise\BES Client\BesClient.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\WINDOWS\system32\RegSrv
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEX
C:\WINDOWS\system32\TpKmpS
C:\Program Files\Common Files\Lenovo\Scheduler\tvt
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\RealVNC\WinVNC.EXE
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JND4AE.EXE
C:\WINDOWS\system32\acs.ex
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\PROGRA~1\ThinkPad\UTILI
C:\WINDOWS\system32\TpShoc
C:\Program Files\Fiberlink\Extend360\
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Lenovo\Scheduler\sch
C:\Program Files\Lenovo\HOTKEY\TPOSDS
C:\WINDOWS\system32\RunDll
C:\WINDOWS\system32\rundll
C:\Program Files\ThinkPad\ConnectUtil
C:\Program Files\ThinkPad\ConnectUtil
C:\WINDOWS\system32\rundll
C:\Program Files\Vrnwlwzd\lsgcsjhh.ex
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PrintKey2000\Printke
C:\Program Files\Lenovo\HOTKEY\TPONSC
C:\Program Files\Lenovo\Zoom\TpScrex.
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pcsetup\Desktop\A
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [e360SysTray] C:\Program Files\Fiberlink\Extend360\
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bi
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\sch
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDS
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\T
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\B
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [ACTRAY] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [ACWLICON] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [cpuhirch] rundll32.exe "C:\Program Files\cpuhirch\ormvspal.dl
O4 - HKLM\..\Run: [lsgcsjhh] C:\Program Files\Vrnwlwzd\lsgcsjhh.ex
O4 - HKLM\..\Run: [gvhtjhkp] C:\Program Files\Lmhdcsyz\gvhtjhkp.ex
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printke
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {00134F72-5284-44F7-95A8-5
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {2DAD3559-2923-4935-AD49-B
O16 - DPF: {35C3D91E-401A-4E45-88A5-F
O16 - DPF: {3BFFE033-BF43-11D5-A271-0
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {74FFE28D-2378-11D5-990C-0
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANot
O20 - Winlogon Notify: psfus - C:\WINDOWS\system32\psqlpw
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.ex
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtil
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\
O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BesClient.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Fiberlinkcomm Wireless Engine - Unknown owner - C:\Program Files\Fiberlink\Extend360\
O23 - Service: Fiberlinkcomm WMonitor - Boingo Wireless, Inc. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpms
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvi
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrv
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvM
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpS
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvt
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe
O23 - Service: Virtual Network Computing (WinVNC) - Unknown owner - C:\Program Files\RealVNC\WinVNC.EXE" -service (file missing)
ASKER
Here are the Viruses that Officescan found on a scan of the computer I am going to try to remove these as Officescan instructs it says that they are quarranteed
TROJ_XORPIX.CF
TROJ_SMALL.INV
TROJ_AGENT.WNQ
TROJ_BHO.JM
Possible_Strat-6
Possible_Strat-6
TROJ_XPACK.CV
TROJ_AGENT.YTL
TROJ_AGENT.YTL
TROJ_SMALL.INV
TROJ_EXITWIN.F
TROJ_AGENT.WNQ
ADW_ULTIMATEDE.Z
ADW_ULTIMATEDE.Z
ADW_ULTIMATEDE.Z
Possible_Strat-6
TROJ_AGENT.YTL
TROJ_VB.CXL
TROJ_XORPIX.CF
TROJ_SMALL.INV
TROJ_AGENT.WNQ
TROJ_BHO.JM
Possible_Strat-6
Possible_Strat-6
TROJ_XPACK.CV
TROJ_AGENT.YTL
TROJ_AGENT.YTL
TROJ_SMALL.INV
TROJ_EXITWIN.F
TROJ_AGENT.WNQ
ADW_ULTIMATEDE.Z
ADW_ULTIMATEDE.Z
ADW_ULTIMATEDE.Z
Possible_Strat-6
TROJ_AGENT.YTL
TROJ_VB.CXL
Sorry I didn't notice the Trend Micro Office Scan program. I am not familiar with it. Trend Micro's products are typically good though.
Do you still have the combofix log that was produced after you ran it? If so can you post that for us too?
Thanks,
Dave
Do you still have the combofix log that was produced after you ran it? If so can you post that for us too?
Thanks,
Dave
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start > All Programs > Accessories > System Tools > System Restore
and restore back to a date before this happened. Of course there's a posibility that System Restore might have already been corrupted.
Bad files showing in your running processes:
C:\WINDOWS\system32\_svcho
C:\WINDOWS\system32\wbem\c
C:\WINDOWS\vmmreg32.exe
C:\WINDOWS\tsitra801.exe
Bad folders that needs to go, most possibly created by WinIk rootkit.
C:\Program Files\dexidepm
C:\Program Files\Mwfjoete
C:\Program Files\Thwsihxs
C:\Program Files\SecCenter
Fix these entries if still present:
O2 - BHO: (no name) - {48291E74-0979-EB5A-3A45-0
O2 - BHO: Her - {971D5B7B-F7DF-43ee-B771-6
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E
O4 - HKLM\..\Run: [Intel] C:\WINDOWS\vmmreg32.exe
O4 - HKLM\..\Run: [dexidepm] rundll32.exe "C:\Program Files\dexidepm\xorevsbe.dl
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.ex
O4 - HKLM\..\Run: [wuhtsizo] C:\Program Files\Mwfjoete\wuhtsizo.ex
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra801.exe 61A847B5BBF7281A329A284503
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\c
O20 - AppInit_DLLs: taskkill.dll
O21 - SSODL: dDmkZaW - {F8D7B04C-527D-1AE6-C8D7-3
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\system32\_svcho
In addition to combofix, you might also run;
PrevX:
http://info.prevx.com/downloadprevx2.asp
SUPERAntispyware:
http://www.superantispyware.com/