Solved

Cant press Right click on IE 7 or 8 !

Posted on 2009-07-14
8
1,028 Views
Last Modified: 2013-12-06
Hi All ,

I was attacked by spyware on my msn which send images and when i tried to remove it i was hit by a bunch of spywares and viruses as a result of a fake antispyware , but finally i got my laptop healty enough by running ,
Adaware - spybot-malwarebytes and mcafee antivirus

But i only had one obvious problem , which i cant remove it , which

When i press right click on IE  no right menue appears , although it is working fine on on files and desktop .
I really ran out of ideas so i downloaded HJt and here is the log"in next reply" , actually i dont know what to do with it .
hope you can help me with it.
Operating system : XP professional with SP3
Laptop: Lenovo T400

0
Comment
Question by:Maherenstein
  • 3
  • 3
  • 2
8 Comments
 

Author Comment

by:Maherenstein
ID: 24849148
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:33 PM, on 7/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ngvpnmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINNT\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\IPSec Client\LucentIKESvc.exe
C:\Program Files\IPSec Client\LucentIKE.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\OPNET\AppCapture3.8\op_capture_server.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\TPHDEXLG.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINNT\system32\TpShocks.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINNT\PixArt\PAC207\Monitor.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINNT\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IPSec Client\trayicon.exe
C:\Program Files\TypeItIn\TypeItIn.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ngmonitor.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoconf.eu.alcatel.com/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Monitor] C:\WINNT\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"  /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINNT\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSN Optimized;US)" -"http://www.freeonlinegames.com/sports-games/street-sesh.html"
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: TypeItIn.lnk = C:\Program Files\TypeItIn\TypeItIn.exe
O4 - Global Startup: Aventail VPN Connection.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: IPSecClient Icon.lnk = C:\Program Files\IPSec Client\trayicon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://all.alcatel-lucent.com
O15 - Trusted Zone: http://*.alcatel-lucent.com
O15 - Trusted Zone: http://*.alcatel.com
O15 - Trusted Zone: http://*.lucent.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233484425406
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ALCATEL.EG
O17 - HKLM\Software\..\Telephony: DomainName = ALCATEL.EG
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D77BB65-DEF0-4A12-B91D-7EDD61CB9C2F}: NameServer = 155.132.188.74 155.132.180.74
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ALCATEL.EG
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: D:\DOCUME~1\AHMEDM~1\LOCALS~1\Temp\4067031113mmx.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINNT\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c9ef56b5c6207a) (gupdate1c9ef56b5c6207a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LucentIKE - Unknown owner - C:\Program Files\IPSec Client\LucentIKESvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINNT\system32\ngvpnmgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OPNET Application Capture Agent - Unknown owner - C:\Program Files\OPNET\AppCapture3.8\op_capture_server.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\

--
End of file - 15876 bytes
0
 
LVL 51

Expert Comment

by:HainKurt
ID: 24849575
try to reset IE settings
tools -> internet options -> advanced -> reset

try to remove disable or delete unused or unknown add-ons from IE
tools -> internet options -> programs-> manage add-ons

install SpyBot Search & destroy ( do not install tea timer or other option that copmes with SpyBot)
search & fix for spies...
select advanced menu
go to tools -> check all options, select system startup, disable/delete unused/unknown items (be careful before deleting, you may actually need some, so first disable, reboot)
go to activeX section, delete unused/unknown
go to BHOs, delete unused/unknown items

reboot...
0
 
LVL 51

Expert Comment

by:HainKurt
ID: 24849591
here is the screen shot from SpyBot...
0
 
LVL 51

Expert Comment

by:HainKurt
ID: 24849599
I missed the file...
SpyBot.gif
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24849601
O20 - AppInit_DLLs: D:\DOCUME~1\AHMEDM~1\LOCALS~1\Temp\4067031113mmx.dll
The above should go but it will most likely to come back when fixed.
Use Combofix and show us the logfile.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
0
 

Author Comment

by:Maherenstein
ID: 24850431
oook  first thanks HainKurt but it didnt work .
Second rpggamergirl: it is now working after the combo fix , but i had some issue to ask you about ,
when combofix started to run , it said that spyware doctor and mcafee are on , for macafee i know it is on , and somehow i cant disable it , dont know why actually , option is in grey
but spyware doctor i totally uninstall it from my computer !!! any hints .
second now mcafee is disabled after the restart , but i will try to do a reboot and see if it is enabled

Thanks so much for your help and am waiting to tell me the reason for what happend .
0
 

Author Comment

by:Maherenstein
ID: 24850437
ComboFix 09-07-13.01 - ahmed.maher 07/14/2009 17:58.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1976.1197 [GMT 3:00]
Running from: d:\documents and settings\ahmedmaher\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1137241160
c:\recycler\S-1-5-21-2645209000-5660436393-879092836-6312
c:\recycler\S-1-5-21-6881334539-1475835856-381520575-2464
c:\recycler\S-1-5-21-8931798572-7014533870-774769837-3149
c:\winnt\system32\hjgruigwwbhhos.dat
c:\winnt\system32\hjgruixakjallv.dat
d:\documents and settings\ahmedmaher\Application Data\bcrypt.html
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://eggizssus01.alcatel.eg
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_pcmstub
-------\Service_hjgruinskiltmb


(((((((((((((((((((((((((   Files Created from 2009-06-14 to 2009-07-14  )))))))))))))))))))))))))))))))
.

2009-07-14 13:06 . 2009-07-14 13:06      --------      d-----w-      c:\program files\Trend Micro
2009-07-13 00:03 . 2009-07-13 00:03      --------      d-----w-      d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-13 00:01 . 2009-07-13 00:01      --------      d-sh--w-      d:\documents and settings\Administrator\PrivacIE
2009-07-13 00:00 . 2009-07-13 00:00      --------      d-sh--w-      d:\documents and settings\Administrator\IETldCache
2009-07-12 22:07 . 2009-07-03 14:49      15688      ----a-w-      c:\winnt\system32\lsdelete.exe
2009-07-12 20:18 . 2009-07-03 14:49      64160      ----a-w-      c:\winnt\system32\drivers\Lbd.sys
2009-07-12 20:13 . 2009-07-12 20:17      --------      d-----w-      d:\documents and settings\ahmedmaher\Local Settings\Application Data\Temp
2009-07-12 20:12 . 2009-07-12 20:12      --------      dc-h--w-      d:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-12 20:09 . 2009-07-12 20:18      --------      d-----w-      d:\documents and settings\All Users\Application Data\Lavasoft
2009-07-12 20:09 . 2009-07-12 20:09      --------      d-----w-      c:\program files\Lavasoft
2009-07-12 18:45 . 2009-07-12 18:45      --------      d-----w-      d:\documents and settings\ahmedmaher\Application Data\Malwarebytes
2009-07-12 18:44 . 2009-06-17 08:27      38160      ----a-w-      c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-12 18:44 . 2009-07-12 18:44      --------      d-----w-      d:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-12 18:44 . 2009-06-17 08:27      19096      ----a-w-      c:\winnt\system32\drivers\mbam.sys
2009-07-12 18:44 . 2009-07-12 18:45      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-07-12 11:32 . 2009-07-12 11:35      --------      d-----w-      C:\I386
2009-07-12 01:22 . 2009-07-12 01:22      --------      d-sh--w-      d:\documents and settings\NetworkService\IETldCache
2009-07-12 01:14 . 2009-07-12 01:15      --------      dc-h--w-      c:\winnt\ie8
2009-07-12 00:16 . 2009-07-12 00:20      --------      d-----w-      c:\program files\Spybot - Search & Destroy
2009-07-12 00:16 . 2009-07-12 00:20      --------      d-----w-      d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-11 17:54 . 2009-07-11 17:54      --------      d-----w-      c:\program files\Microsoft Silverlight
2009-07-11 13:35 . 2009-07-11 13:35      --------      d-----w-      c:\winnt\system32\config\systemprofile\Tracing
2009-07-11 12:42 . 2009-07-11 12:42      --------      d-sh--w-      c:\winnt\system32\config\systemprofile\PrivacIE
2009-07-11 12:35 . 2009-07-11 12:35      --------      d-----w-      c:\program files\Common Files\Wise Installation Wizard
2009-07-11 12:28 . 2009-07-11 12:28      --------      d-sh--w-      c:\winnt\system32\config\systemprofile\IETldCache
2009-07-11 12:28 . 2009-07-12 22:15      0      ----a-w-      c:\winnt\system32\drivers\c5b0c5dc.sys
2009-07-11 12:09 . 2009-07-11 12:09      --------      d-sh--w-      d:\documents and settings\LocalService\IETldCache
2009-07-11 11:58 . 2009-07-12 20:12      --------      d---a-w-      d:\documents and settings\All Users\Application Data\TEMP
2009-07-11 11:58 . 2009-07-12 20:47      --------      d-----w-      c:\program files\Spyware Doctor
2009-07-11 07:57 . 2009-07-12 20:13      1      ----a-w-      c:\winnt\AR.DAT
2009-07-11 07:56 . 2009-07-11 07:58      --------      d-----w-      c:\program files\AddRemove
2009-07-10 20:07 . 2009-07-10 20:07      --------      d-----w-      c:\program files\Common Files\Intel
2009-07-10 18:28 . 2009-07-10 18:28      --------      d-----w-      c:\winnt\35C03C043F1F42C2A989A757EE691F65.TMP
2009-07-10 09:22 . 2008-02-08 06:46      57408      ------w-      c:\winnt\system32\drivers\wsimd.sys
2009-07-10 09:22 . 2009-03-24 14:14      254022      ----a-w-      c:\winnt\system32\wsfwDS.dll
2009-07-10 09:22 . 2009-03-24 14:14      249924      ----a-w-      c:\winnt\system32\wsimd.dll
2009-07-10 09:22 . 2009-03-24 13:55      82017      ----a-r-      c:\winnt\system32\dsaNac.dll
2009-07-10 09:22 . 2009-03-24 13:55      1269854      ----a-r-      c:\winnt\system32\dsa.dll
2009-07-10 09:22 . 2008-11-05 16:09      1343616      ----a-w-      c:\winnt\system32\athw.sys
2009-07-10 09:22 . 2008-02-08 06:46      57408      ----a-w-      c:\winnt\system32\wsimd.sys
2009-07-10 09:22 . 2006-08-07 11:17      118784      ----a-w-      c:\winnt\system32\ATHCFG10.DLL
2009-07-07 21:04 . 2009-07-07 21:04      --------      d-----w-      d:\documents and settings\ahmedmaher\Local Settings\Application Data\Help
2009-07-07 10:46 . 2009-07-07 10:46      --------      d-----w-      c:\program files\Sierra
2009-07-07 10:46 . 2009-07-07 10:46      --------      d-----w-      c:\program files\WON
2009-07-06 17:00 . 2008-08-15 17:12      4224      ----a-w-      c:\winnt\system32\drivers\IBMBLDID.sys
2009-07-06 17:00 . 2008-08-15 17:12      11520      ----a-w-      c:\winnt\system32\drivers\ANC.sys
2009-07-01 18:23 . 2009-07-01 18:23      --------      d-----w-      c:\program files\iPod
2009-07-01 18:23 . 2009-07-01 18:23      --------      d-----w-      c:\program files\iTunes
2009-07-01 01:34 . 2009-07-04 20:32      45056      ----a-w-      c:\winnt\NCUNINST.EXE
2009-07-01 00:54 . 2009-07-01 00:54      --------      d-----w-      c:\program files\Common Files\SWF Studio
2009-06-24 04:11 . 2009-06-24 04:11      83028      ----a-w-      d:\documents and settings\ahmedmaher\catalina.2009-06-24.zip
2009-06-19 19:17 . 2009-06-20 12:07      10091520      ----a-w-      d:\documents and settings\ahmedmaher\Binary-Library.zip
2009-06-17 18:40 . 2009-06-17 18:40      --------      d-----w-      d:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-17 18:10 . 2009-06-17 18:10      --------      d-----w-      d:\documents and settings\ahmedmaher\Application Data\PC Suite
2009-06-17 18:10 . 2009-06-17 18:10      --------      d-----w-      d:\documents and settings\ahmedmaher\Application Data\Nokia
2009-06-17 18:10 . 2009-06-17 18:10      --------      d-----w-      d:\documents and settings\All Users\Application Data\PC Suite
2009-06-17 18:09 . 2007-09-17 12:53      21632      ----a-w-      c:\winnt\system32\drivers\pccsmcfd.sys
2009-06-17 18:09 . 2009-06-17 18:09      --------      d-----w-      c:\program files\PC Connectivity Solution
2009-06-17 18:09 . 2008-05-07 04:38      90624      ----a-w-      c:\winnt\system32\nmwcdcls.dll
2009-06-17 18:09 . 2009-06-17 18:09      --------      d-----w-      c:\program files\Nokia
2009-06-17 18:08 . 2009-06-17 18:08      --------      d-----w-      d:\documents and settings\All Users\Application Data\Installations
2009-06-17 14:20 . 2009-06-17 14:20      --------      d-----w-      d:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-17 14:19 . 2009-07-12 20:18      --------      d-----w-      d:\documents and settings\ahmedmaher\Local Settings\Application Data\Google
2009-06-17 14:19 . 2009-07-12 20:17      --------      d-----w-      c:\program files\Google

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-14 15:03 . 2009-07-14 15:03      100880      ----a-w-      c:\winnt\system32\WPRO_40_1040woem.tmp
2009-07-14 14:58 . 2009-04-05 12:20      --------      d-----w-      d:\documents and settings\ahmedmaher\Application Data\Skype
2009-07-14 06:56 . 2009-04-05 12:21      --------      d-----w-      d:\documents and settings\ahmedmaher\Application Data\skypePM
2009-07-14 06:47 . 2009-01-29 11:54      40840      -c--a-w-      d:\documents and settings\ahmedmaher\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 14:52 . 2008-09-12 18:33      182656      -c--a-w-      c:\winnt\system32\drivers\ndis.sys
2009-07-11 14:38 . 2009-02-09 00:52      --------      d-----w-      d:\documents and settings\ahmedmaher\Application Data\uTorrent
2009-07-11 13:29 . 2009-07-11 12:30      4      ---h--w-      c:\winnt\Fonts\mlog
2009-07-11 12:28 . 2009-02-01 10:47      --------      d-----w-      c:\program files\IDM Computer Solutions
2009-07-11 08:48 . 2009-03-17 13:51      --------      d-----w-      c:\program files\Windows Live
2009-07-10 20:07 . 2009-01-28 18:44      --------      d-----w-      c:\program files\Intel
2009-07-10 18:27 . 2009-04-01 12:26      --------      d-----w-      d:\documents and settings\ahmedmaher\Application Data\DMCache
2009-07-10 09:23 . 2009-07-10 09:23      --------      d--h--r-      d:\documents and settings\All Users\Application Data\Atheros
2009-07-10 09:22 . 2009-01-28 18:42      --------      d-----w-      c:\program files\Lenovo
2009-07-10 09:22 . 2008-09-12 17:14      --------      d--h--w-      c:\program files\InstallShield Installation Information
2009-06-30 22:39 . 2009-04-09 14:33      --------      d-----w-      c:\program files\ACE Mega CoDecS Pack
2009-06-11 22:37 . 2009-06-11 22:37      1148      ----a-w-      c:\winnt\system32\ezdigsgn.dat
2009-06-11 21:06 . 2009-06-07 23:38      230432      ----a-w-      C:\PA207.DAT
2009-06-03 21:01 . 2009-06-03 21:01      --------      d-----w-      c:\program files\Common Files\Look110
2009-06-03 21:01 . 2009-06-03 21:01      --------      d-----w-      c:\program files\Look 110
2009-06-03 21:01 . 2009-06-03 21:01      --------      d-----w-      d:\documents and settings\ahmedmaher\Application Data\InstallShield
2008-02-02 10:27 . 2008-09-12 16:58      67696      ----a-w-      c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:27 . 2008-09-12 16:58      54376      -c--a-w-      c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:27 . 2008-09-12 16:58      34952      ----a-w-      c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:27 . 2008-09-12 16:58      46720      ----a-w-      c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:27 . 2008-09-12 16:58      172144      -c--a-w-      c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-02-13 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-05 3900936]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-10-13 150040]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-10-13 178712]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2008-10-13 150040]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-07-29 242976]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-28 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-28 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-31 60192]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Monitor"="c:\winnt\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-05-18 136512]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-08-15 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-15 143360]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-27 111952]
"TpShocks"="TpShocks.exe" - c:\winnt\system32\TpShocks.exe [2008-06-06 181536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\system32\CTFMON.EXE" [2008-04-14 15360]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-05 3900936]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

d:\documents and settings\ahmedmaher\Start Menu\Programs\Startup\
TypeItIn.lnk - c:\program files\TypeItIn\TypeItIn.exe [2009-2-1 858624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 15:37      34344      ----a-w-      c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 14:02      34080      ----a-w-      c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-08-15 18:37      32768      ----a-w-      c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages      REG_MULTI_SZ         scecli ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2774792575-1536966407-3611087897-1004\Scripts\Logoff\0\0]
"Script"=KEYBOARD.CMD

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2774792575-1536966407-3611087897-1004\Scripts\Logoff\0\1]
"Script"=c:\program files\Profile Light\Logoff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2774792575-1536966407-3611087897-500\Scripts\Logoff\0\0]
"Script"=KEYBOARD.CMD

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2774792575-1536966407-3611087897-500\Scripts\Logoff\0\1]
"Script"=c:\program files\Profile Light\Logoff.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Documents and Settings\\ahmedmaher\\Desktop\\1-sbcl\\SBCL v1.0i.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\WINNT\\system32\\ftp.exe"=
"c:\\Program Files\\AR System\\HOME\\ALPrograms\\wget.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AR System\\User\\alert.exe"=
"d:\\PES2009\\pes2009.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Fasttrak;Fasttrak;c:\winnt\system32\drivers\Fasttrak.sys [9/12/2008 9:35 PM 75520]
R0 lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [7/12/2009 11:18 PM 64160]
R0 Shockprf;Shockprf;c:\winnt\system32\drivers\ApsX86.sys [5/14/2008 7:21 PM 114728]
R0 TPDIGIMN;TPDIGIMN;c:\winnt\system32\drivers\ApsHM86.sys [5/14/2008 7:21 PM 19496]
R1 TPPWRIF;TPPWRIF;c:\winnt\system32\drivers\TPPWRIF.SYS [1/28/2009 10:01 PM 4442]
R2 HumDisplayServer;Hummingbird Exceed Display Management;c:\program files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe [7/23/2003 5:19 PM 53248]
R2 I2C;I2C;c:\winnt\system32\wbem\agent\ci\i2cnt.sys [1/28/2009 9:50 PM 35704]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 5:49 PM 1029456]
R2 LucentIKE;LucentIKE;c:\program files\IPSec Client\lucentikesvc.exe [1/28/2009 10:34 PM 147456]
R2 NgVpnMgr;Aventail VPN Client;c:\winnt\system32\ngvpnmgr.exe [11/19/2007 4:21 PM 205381]
R2 OPNET Application Capture Agent;OPNET Application Capture Agent;c:\program files\OPNET\AppCapture3.8\op_capture_server.exe [9/12/2008 8:14 PM 929792]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\winnt\system32\drivers\e1y5132.sys [9/12/2008 9:34 PM 244368]
R3 LuIPSec;Alcatel-Lucent VPN Miniport;c:\winnt\system32\drivers\luipsec.sys [1/28/2009 10:34 PM 320768]
R3 NgLog;Aventail VPN Logging;c:\winnt\system32\drivers\nglog.sys [11/19/2007 4:19 PM 25240]
R3 NgVpn;Aventail VPN Adapter;c:\winnt\system32\drivers\ngvpn.sys [11/19/2007 4:20 PM 76440]
R3 WPRO_40_1040;WinPcap Packet Driver (WPRO_40_1040);c:\winnt\system32\drivers\WPRO_40_1040.sys --> c:\winnt\system32\drivers\WPRO_40_1040.sys [?]
R3 WSIMD;wsimd Service;c:\winnt\system32\drivers\wsimd.sys [7/10/2009 12:22 PM 57408]
S1 c5b0c5dc;c5b0c5dc;c:\winnt\system32\drivers\c5b0c5dc.sys [7/11/2009 3:28 PM 0]
S2 gupdate1c9ef56b5c6207a;Google Update Service (gupdate1c9ef56b5c6207a);c:\program files\Google\Update\GoogleUpdate.exe [6/17/2009 5:20 PM 133104]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [1/28/2009 10:01 PM 94208]
S3 NgFilter;Aventail VPN Filter;c:\winnt\system32\drivers\ngfilter.sys [11/19/2007 4:20 PM 20632]
S3 NgWfp;Aventail VPN Callout;c:\winnt\system32\drivers\ngwfp.sys [11/19/2007 4:20 PM 21656]
S3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [11/6/2007 11:22 PM 34064]
S3 PAC207;Look 110;c:\winnt\system32\drivers\PFC027.SYS [6/4/2009 12:01 AM 507264]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Profile}]
d:\config\master\profile\profile.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{QIESettings_10}]
c:\program files\IEsettings_10\cu.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Hibernate]
powercfg /CHANGE Portable/Laptop /hibernate-timeout-ac 0

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Office Communicator 2005]
c:\winnt\Installer\Microsoft Office Communicator 2005\AFTER.EXE /S

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MSOffice_2003]
c:\program files\Microsoft Office\Office11\cu.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OfficeTemplates_10]
c:\program files\Microsoft Office\Templates\Alcatel-Lucent\Templates.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PDFCreator_091]
c:\winnt\Installer\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}\PDFCreator_CU.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\QuickTime_745]
d:\documents and settings\All Users\Application Data\Apple Computer\QuickTime\cu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\RealPlayer_1061]
c:\program files\Real\RealPlayer\cu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Shockwave11]
c:\winnt\INSTALLER\MACROMEDIA\cu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\SonicDigitalMediaPlus_70]
c:\program files\Common Files\Sonic Shared\Sonic Central\cu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Standby]
powercfg /CHANGE Portable/Laptop /standby-timeout-ac 0

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7WMP_USER]
c:\program files\Windows Media Player\cu.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-14 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 14:19]

2009-07-14 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 14:19]

2009-07-14 c:\winnt\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-01-28 17:43]

2009-07-14 c:\winnt\Tasks\User_Feed_Synchronization-{EE86FC14-8562-4813-8147-8473A7131BF7}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 01:31]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-RunOnce-Shockwave Updater - c:\winnt\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = tux-04.net.alcatel.be:1080
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: alcatel-lucent.com
Trusted Zone: alcatel-lucent.de
Trusted Zone: alcatel-lucent.fr
Trusted Zone: alcatel.com
Trusted Zone: alcatel.de
Trusted Zone: alcatel.fr
Trusted Zone: frillslib01
Trusted Zone: lucent.com
Trusted Zone: alcatel-lucent.com
Trusted Zone: alcatel-lucent.de
Trusted Zone: alcatel-lucent.fr
Trusted Zone: alcatel.com
Trusted Zone: alcatel.de
Trusted Zone: alcatel.fr
Trusted Zone: automation.local
Trusted Zone: frillslib01
Trusted Zone: frmeus0dvp01
Trusted Zone: lucent.com
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 18:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,b4,36,b6,28,ca,26,45,ba,4c,c4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,b4,36,b6,28,ca,26,45,ba,4c,c4,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1676)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(1732)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll

- - - - - - - > 'explorer.exe'(1640)
c:\winnt\system32\btmmhook.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\OneX.DLL
c:\winnt\system32\eappprxy.dll
c:\winnt\system32\webcheck.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\9.00\Hummingbird Neighborhood\heshell.dll
c:\winnt\system32\btncopy.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\winnt\system32\jsproxy.dll
c:\winnt\system32\netprovcredman.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\winnt\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\IPSec Client\lucentike.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\winnt\system32\TPHDEXLG.exe
c:\winnt\system32\TpKmpSvc.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\winnt\system32\igfxsrvc.exe
c:\winnt\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\winnt\system32\wbem\unsecapp.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\winnt\system32\wbem\unsecapp.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\ThinkPad\Bluetooth Software\BTTray.exe
c:\program files\IPSec Client\trayicon.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-07-14 18:09 - machine was rebooted
ComboFix-quarantined-files.txt  2009-07-14 15:08

Pre-Run: 22,125,293,568 bytes free
Post-Run: 22,070,697,984 bytes free

405      --- E O F ---      2009-05-19 00:06
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24855307
Spyware doctor is still there, if you've already uninstalled it then we will removed its leftovers.

You have some archives showing in the log which I assume you recognized them ( I haven't checked them).


Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\winnt\system32\drivers\c5b0c5dc.sys

Folder::
c:\program files\Spyware Doctor

DirLook::
c:\winnt\Fonts\mlog

Driver::
c5b0c5dc

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.



I'm not sure why the option is greyed out, usually nasties add restrictions so you can't change it after the virus has disabled it but with yours it was still enabled.

To disable McAfee:(thanks to b0lsc0tt)
Open McAfee Security Center, go to the Advanced menu, click on 'Configure' and then run through "computer and files", "internet", and "email and IM" categories; in each on there is a manual option to turn off the protection (click the off bubble).
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now