suran78
asked on
Kill hijacking virus
Experts,
recently my laptop automatically downloaded a virus from internet site - Antivirus XP 2008. Yes, that's what its called and even though I unintalled it several times, it seems to have damaged my sound system, mouse driver, memory and internet speed. I used symantec and other malware software to do scan several times but as soon as I connect to internet, my sound system disables and connection become very slow becuase of memory usage. Some type of invisible download goes in the background and task manager shows that memory is busy but I cannot understand which process is holding memory space. And thus cannot kill it.
How can I stop this memory hijacking when I switch to internet in my laptop? I also checked startup directory and it does not show any virus or suspicious download or activities.
Thanks.
recently my laptop automatically downloaded a virus from internet site - Antivirus XP 2008. Yes, that's what its called and even though I unintalled it several times, it seems to have damaged my sound system, mouse driver, memory and internet speed. I used symantec and other malware software to do scan several times but as soon as I connect to internet, my sound system disables and connection become very slow becuase of memory usage. Some type of invisible download goes in the background and task manager shows that memory is busy but I cannot understand which process is holding memory space. And thus cannot kill it.
How can I stop this memory hijacking when I switch to internet in my laptop? I also checked startup directory and it does not show any virus or suspicious download or activities.
Thanks.
Last Comment
dfxdeimos
Could you download and execute Hijack This ( http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html ) and post the contents of the log file it generates here?
ASKER
Content of log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:17 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\ibmpms
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\Program Files\Intel\Wireless\Bin\S
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\acs.ex
C:\Progra~1\Symantec\Syman
C:\Program Files\Intel\Wireless\Bin\E
C:\Program Files\Google\Common\Google
C:\WINDOWS\system32\inetsr
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL
C:\PROGRA~1\AT&TGL~1\NetCf
c:\Program Files\Hewlett-Packard\Disc
C:\Program Files\Intel\Wireless\Bin\R
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter
C:\Progra~1\Symantec\Syman
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\System32\TPHDEX
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.
C:\WINDOWS\system32\vmnat.
C:\WINDOWS\system32\vmnetd
C:\Project 2008\ELN\eln v11\vmware-authd.exe
c:\dowwapps\dwsservice\dws
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Progra~1\Symantec\Syman
C:\PROGRA~1\Lenovo\PkgMgr\
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\PROGRA~1\THINKV~1\PrdCt
C:\Program Files\Lenovo\PkgMgr\HOTKEY
C:\Program Files\Lenovo\PkgMgr\HOTKEY
C:\Program Files\Timbuktu Pro\Tb2Logon.exe
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\TpScrL
C:\PROGRA~1\ThinkPad\UTILI
C:\WINDOWS\system32\TpShoc
C:\Program Files\Timbuktu Pro\tb2pro.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.E
C:\Program Files\Adobe\Distillr\Acrot
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Project 2008\ELN\eln v11\hqtray.exe
C:\Program Files\CambridgeSoft\E-Note
C:\Program Files\Google\GoogleToolbar
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\MIP\AgentSrv.EXE
C:\Program Files\MIP\CBSysTray.exe
C:\Program Files\Hewlett-Packard\Disc
C:\PROGRA~1\MICROS~2\OFFIC
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {48F1F4C5-160E-6087-2971-3
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: (no name) - {E488A530-41F5-372E-D92E-3
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Progra~1\Symantec\Syman
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCt
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [RunWCW] C:\dowwapps\login\dwalogin
O4 - HKLM\..\Run: [DIRECT!] C:\Program Files\Courion Corporation\Identity Management Suite DIRECT!\direct.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrL
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLISt
O4 - HKLM\..\Run: [Synchronization Configuration] C:\Dowwapps\scripts\Config
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "c:\Program Files\Adobe\Distillr\Acrot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Project 2008\ELN\eln v11\hqtray.exe"
O4 - HKLM\..\Run: [Send2ENotebook virtual printer agent] "C:\Program Files\CambridgeSoft\E-Note
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServicesOnce: [MSHFLXGD] C:\WINDOWS\system32\regsvr
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBoos
O4 - HKCU\..\Run: [Zrzg] "C:\Documents and Settings\u377480\Data\My Documents\??curity\w?crtup
O4 - HKCU\..\Run: [Daz] C:\WINDOWS\??sks\m?iexec.e
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.
O4 - Startup: ResetTrustedSiteLogon.vbs
O4 - Startup: Set IE for ProjectServer.vbs
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: s2enagentts.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O4 - Global Startup: SMARTPaste.exe
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O15 - Trusted Zone: http://mdntepmoweb1.nam.dow.com
O15 - Trusted Zone: www.dow.com
O15 - Trusted Zone: http://*.mdntepmoweb1
O16 - DPF: IMWMLauncherCab - https://wbbc.mci.com/imwm/dotnet/IMWMLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CCS\Services\T
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~
O21 - SSODL: aBFTkxzBfYWz - {D8E49C69-724E-36C3-4B47-2
O23 - Service: ACU Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.ex
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\MIP\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Progra~1\Symantec\Syman
O23 - Service: DWSService - The Dow Chemical Company - c:\dowwapps\dwsservice\dws
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-0222
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpms
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCf
O23 - Service: OracleORAHOME90ClientCache
O23 - Service: HP Enterprise Discovery Agent (prgnDiscAgent) - Unknown owner - c:\Program Files\Hewlett-Packard\Disc
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Progra~1\Symantec\Syman
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Progra~1\Symantec\Syman
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Project 2008\ELN\eln v11\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
O24 - Desktop Component 0: (no name) - http://www.bollywood4u.com/wallpapers/800x600jpg/aishwarya_rai_110_drcv.jpg
--
End of file - 16615 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:17 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\ibmpms
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\Program Files\Intel\Wireless\Bin\S
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\acs.ex
C:\Progra~1\Symantec\Syman
C:\Program Files\Intel\Wireless\Bin\E
C:\Program Files\Google\Common\Google
C:\WINDOWS\system32\inetsr
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL
C:\PROGRA~1\AT&TGL~1\NetCf
c:\Program Files\Hewlett-Packard\Disc
C:\Program Files\Intel\Wireless\Bin\R
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter
C:\Progra~1\Symantec\Syman
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\System32\TPHDEX
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.
C:\WINDOWS\system32\vmnat.
C:\WINDOWS\system32\vmnetd
C:\Project 2008\ELN\eln v11\vmware-authd.exe
c:\dowwapps\dwsservice\dws
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Progra~1\Symantec\Syman
C:\PROGRA~1\Lenovo\PkgMgr\
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\PROGRA~1\THINKV~1\PrdCt
C:\Program Files\Lenovo\PkgMgr\HOTKEY
C:\Program Files\Lenovo\PkgMgr\HOTKEY
C:\Program Files\Timbuktu Pro\Tb2Logon.exe
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\TpScrL
C:\PROGRA~1\ThinkPad\UTILI
C:\WINDOWS\system32\TpShoc
C:\Program Files\Timbuktu Pro\tb2pro.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.E
C:\Program Files\Adobe\Distillr\Acrot
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Project 2008\ELN\eln v11\hqtray.exe
C:\Program Files\CambridgeSoft\E-Note
C:\Program Files\Google\GoogleToolbar
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\MIP\AgentSrv.EXE
C:\Program Files\MIP\CBSysTray.exe
C:\Program Files\Hewlett-Packard\Disc
C:\PROGRA~1\MICROS~2\OFFIC
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {48F1F4C5-160E-6087-2971-3
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: (no name) - {E488A530-41F5-372E-D92E-3
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Progra~1\Symantec\Syman
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCt
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [RunWCW] C:\dowwapps\login\dwalogin
O4 - HKLM\..\Run: [DIRECT!] C:\Program Files\Courion Corporation\Identity Management Suite DIRECT!\direct.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrL
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLISt
O4 - HKLM\..\Run: [Synchronization Configuration] C:\Dowwapps\scripts\Config
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "c:\Program Files\Adobe\Distillr\Acrot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Project 2008\ELN\eln v11\hqtray.exe"
O4 - HKLM\..\Run: [Send2ENotebook virtual printer agent] "C:\Program Files\CambridgeSoft\E-Note
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServicesOnce: [MSHFLXGD] C:\WINDOWS\system32\regsvr
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBoos
O4 - HKCU\..\Run: [Zrzg] "C:\Documents and Settings\u377480\Data\My Documents\??curity\w?crtup
O4 - HKCU\..\Run: [Daz] C:\WINDOWS\??sks\m?iexec.e
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.
O4 - Startup: ResetTrustedSiteLogon.vbs
O4 - Startup: Set IE for ProjectServer.vbs
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: s2enagentts.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O4 - Global Startup: SMARTPaste.exe
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O15 - Trusted Zone: http://mdntepmoweb1.nam.dow.com
O15 - Trusted Zone: www.dow.com
O15 - Trusted Zone: http://*.mdntepmoweb1
O16 - DPF: IMWMLauncherCab - https://wbbc.mci.com/imwm/dotnet/IMWMLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CCS\Services\T
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~
O21 - SSODL: aBFTkxzBfYWz - {D8E49C69-724E-36C3-4B47-2
O23 - Service: ACU Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.ex
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\MIP\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Progra~1\Symantec\Syman
O23 - Service: DWSService - The Dow Chemical Company - c:\dowwapps\dwsservice\dws
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-0222
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpms
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCf
O23 - Service: OracleORAHOME90ClientCache
O23 - Service: HP Enterprise Discovery Agent (prgnDiscAgent) - Unknown owner - c:\Program Files\Hewlett-Packard\Disc
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Progra~1\Symantec\Syman
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Progra~1\Symantec\Syman
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEX
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Project 2008\ELN\eln v11\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
O24 - Desktop Component 0: (no name) - http://www.bollywood4u.com/wallpapers/800x600jpg/aishwarya_rai_110_drcv.jpg
--
End of file - 16615 bytes
Virus files
Associated Antivirus 2008 Files:
c:\Program Files\Antivirus 2008
c:\Program Files\Antivirus 2008\Antvrs.exe
c:\Documents and Settings\forensics\Start Menu\Antivirus
c:\Documents and Settings\forensics\Desktop
c:\Documents and Settings\forensics\Applica
c:\Documents and Settings\forensics\Start Menu\Antivirus\Antivirus 2008.lnk
c:\Documents and Settings\forensics\Start Menu\Antivirus\Uninstall Antivirus.lnk
c:\Documents and Settings\forensics\Local Settings\Temporary Internet Files\Content.IE5\0L6FS9QR
c:\Documents and Settings\forensics\Local Settings\Temporary Internet Files\Content.IE5\IQJ9X5GB
Associated Antivirus 2008 Windows Registry Information:
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
Use of nod32 from eset is KNOWN TO REMOVE VIRUS
Download the trial of eset smart security
Remove all the associated keys or use MSCONFIG to remove the entries from startup.
If eset is complaining that there is a virus still in system vol then you may need to remove the hard drive and put it into another machine changing the permissions to remove it. Or just turn off system restore that will work.
Associated Antivirus 2008 Files:
c:\Program Files\Antivirus 2008
c:\Program Files\Antivirus 2008\Antvrs.exe
c:\Documents and Settings\forensics\Start Menu\Antivirus
c:\Documents and Settings\forensics\Desktop
c:\Documents and Settings\forensics\Applica
c:\Documents and Settings\forensics\Start Menu\Antivirus\Antivirus 2008.lnk
c:\Documents and Settings\forensics\Start Menu\Antivirus\Uninstall Antivirus.lnk
c:\Documents and Settings\forensics\Local Settings\Temporary Internet Files\Content.IE5\0L6FS9QR
c:\Documents and Settings\forensics\Local Settings\Temporary Internet Files\Content.IE5\IQJ9X5GB
Associated Antivirus 2008 Windows Registry Information:
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
Use of nod32 from eset is KNOWN TO REMOVE VIRUS
Download the trial of eset smart security
Remove all the associated keys or use MSCONFIG to remove the entries from startup.
If eset is complaining that there is a virus still in system vol then you may need to remove the hard drive and put it into another machine changing the permissions to remove it. Or just turn off system restore that will work.
ASKER
Removed teh hard drive already and changed teh machine, did work for a while after switching internet, but after 5 mins started to download something and hijacked memory. also tries, system restore chkdsk, and defrag - nothing worked- please don't tell me to throw it away - it's not mine.
Na viruses can be a real pain Suran78 and it sounds like your having a really bad time. I have removed the antivirus 2006-2008 line and you need to use the eset tools They will remove them.
Turn off system restore (required by virus usualy)
Use msconfig and untick all entries in the startup section.
Run a updated eset antivirus scan on the machine.
The problem with the anti virus series is they use as well viruses to reinfect your machine.
Turn off system restore (required by virus usualy)
Use msconfig and untick all entries in the startup section.
Run a updated eset antivirus scan on the machine.
The problem with the anti virus series is they use as well viruses to reinfect your machine.
You can also install an antivirus (nod32 for example, or Kaspersky), reboot the computer in "Safe Mode" and then do a full system scan.
I would recommend doing this with at least two different antivirus programs.
I would recommend doing this with at least two different antivirus programs.
Hi,
SDFix, FixIEDef, MalwareBytes, I think remove this infection but you have other infection showing in your logfile, purityscan/slickspring is also there.
You might like to use Combofix instead of tools that target antivirus 2008.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
SDFix, FixIEDef, MalwareBytes, I think remove this infection but you have other infection showing in your logfile, purityscan/slickspring is also there.
You might like to use Combofix instead of tools that target antivirus 2008.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ASKER
Unfortunately eset deleted my login script and explorer files together with Trojan virus. When I restarted my laptop, I could not login anymore - getting Fatal system error. Have to restage it now. Completely failure.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Anti-Virus Apps
Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.
23K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
