Need help with virus - Free Antivirus Forum

Need help with virus

BullGuard Antivirus Forum > Virus Removal > Removal Help > Need help with virus

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Jade71
New Member

Date Joined Nov 2008
Total Posts : 8

Posted 11-29-2008 10:28 (GMT +1)

I tried to download Service Pack 1a and it won't let me. I was able to get hijackthis and retrieve a log to send you. It started with redirects online and the Antivirus2009 coming up. I think I have removed the Antivirus2009, but when Bulldog scans after I've been online I continuely have (2)files showing up... SVChost.exe ~ trojan.downloader.JLFR. What other information do you need to look at?

Here is the hijackthis log:

Logfile of HijackThis v1.99.1

Scan saved at 3:46:57 PM, on 11/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Common Files\Virtual Token\vtserver.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\WINDOWS\system32\rundll32.exe

C:\program files\Support.com\bin\tgcmd.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSCM.exe

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\Documents and Settings\Kristen\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe

O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [tgcmd] "c:\program files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Download] "C:\Program Files\Bellsouth\HelpCenter\ssGet.exe" 120 "http://download.fastaccess.com/download/HC43SInstaller.exe" "HC43SInstaller.exe"

O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll

O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll

O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [INTERNATIONAL] International*

O11 - Options group: [JAVA_IBM] Java (IBM)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199760516625

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: psfus - C:\Program Files\IBM fingerprint software\psfus.dll

O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll

O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe

O23 - Service: BGRaSvc - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe

O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (file missing)

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 11-30-2008 5:02 (GMT +1)

Hello

Please download Malwarebytes' Anti-Malware:

http://www.spywarefri.dk/downloads1/mbam-setup.exe

Or here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Run a complete scan with Bullguard.

Copy and Paste Malwarebytes log into your next reply, along with a Bullguard log.

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Jade71
New Member

Date Joined Nov 2008
Total Posts : 8

Posted 11-30-2008 7:05 (GMT +1)

The first option didn't work, it wouldn't let me download. The second would (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968). I was able to download this to my desktop, but I can't install. When I double clicked on mbam-setup I receive a box that asks if I want to run? I click run and nothing happens. ???

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 11-30-2008 7:08 (GMT +1)

Ok. Try this -

Download malwarebyte

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

Or here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

Save the file as setup.exe

Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.
Go into the Malware folder in through Program Files
Rename the mbam.exe or what not file to mab.exe and run it.
Do a full computer scan
Check all and remove/fix/delete them.

Restart your computer and post the log´s

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Jade71
New Member

Date Joined Nov 2008
Total Posts : 8

Posted 11-30-2008 10:19 (GMT +1)

I followed your instructions and when I came to the end of the installation process it did look like it was frozen. You said to let it go and that it might take an hour...it's been almost 6 hours...I suspect I've done something wrong???

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 12-1-2008 9:02 (GMT +1)

Not necessarily smile

Let´s try this scanner -

Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
and save it to your desktop.

When you have done this, please boot into Safe Mode (Tap F8 during startup).

Open the extracted folder - C:\ SDFix and doubleclick on RunThis.bat to start the script.

Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end the script and load your desktop icons.

Open the SDFix folder on your desktop and copy and paste the contents of Report.txt

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Jade71
New Member

Date Joined Nov 2008
Total Posts : 8

Posted 12-1-2008 3:01 (GMT +1)

Ughhh...no luck - I can't download it.

Don't know if this info is needed, but when I try to run Malware it is now giving me two errors - Run-time error '0' and Run-time error '440' automation error.

Jade71
New Member

Date Joined Nov 2008
Total Posts : 8

Posted 12-2-2008 12:23 (GMT +1)

Ok, I figured out how to install malware. I had to do it through safe mode and change the names to Malwar. then i had to change out of safe mode to be able to change to mab.exe....but i got it to work finally. Here are the logs:

Malware:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

12/1/2008 5:50:46 PM
mbam-log-2008-12-01 (17-50-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 98939
Time elapsed: 22 minute(s), 56 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85685713120975186604120059297779 (Rogue.Antivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\winsrc.dll (Adware.Toolbar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbrsr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSScfum.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSofxh.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Rootkit.Agent) -> Delete on reboot.

Bullguard is taking some time - I will send the log as soon as I can

Jade71
New Member

Date Joined Nov 2008
Total Posts : 8

Posted 12-2-2008 1:00 (GMT +1)

Here is the Bullguard scan:

BullGuard Scan Report
Scan Profile: "My Computer"
___________________________________________________________

----[ System Info ]------------

OS Version: Microsoft Windows XP Professional - Service Pack 3 (Build 2600) [1 * x86 CPUs]
Physical memory: 512 MB
System up-time: 0 days, 01 hours, 01 minutes, 25 seconds
BullGuard up-time: 0 days, 00 hours, 59 minutes, 42 seconds
TopLayer Version: 8, 5, 0, 17
FileSpy5 Version: N/A
BdFileSpy Version: 3.12.0.62 built by: WinDDK
BsFileScan Version: 8, 5, 0, 67
Reconn Version: 1.1.0.5 built by: WinDDK
MailProxy Version: 8, 5, 0, 20
AntiVirus Version: 8, 5, 0, 47

----[ Scan Parameters ]------------

Folders to scan:
C:\

Excluded folders:
None

Files to scan:
None

Scan type:
    [o] Scan all files
    [ ] Scan program files only
    [ ] Scan custom extensions:

[X] Exclude user extensions: lnk

    [X] Scan boot sectors
    [X] Scan packed files
    [X] Scan archives
    [X] Scan emails
    [X] Scan running processes
    [X] Scan registry
    [X] Scan IE cookies
    [X] Enable heuristic detection

[ ] Scan default action
___________________________________________________________

Scan Statistics
___________________________________________________________

Scan started: Monday, December 01, 2008 18:54:10
Scan duration: 0 days, 00 hours, 50 minutes, 19 seconds
Completion status: Successful

Total files scanned: 213105
Total files skipped: 48
Identified viruses: 1
Scan speed: 70.59 files/sec

Files skipped:
    C:\5d42c1deaec642d74ef4d7e66be0\SP2GDR\fltlib.dll [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\SP2GDR\fltmc.exe [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\SP2GDR\fltmgr.sys [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\SP2QFE\fltlib.dll [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\SP2QFE\fltmc.exe [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\SP2QFE\fltmgr.sys [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\spmsg.dll [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\spuninst.exe [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\branches.inf [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\eula.txt [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\KB922582.CAT [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\spcustom.dll [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\update.exe [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\update.ver [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\updatebr.inf [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\update_SP2GDR.inf [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\update_SP2QFE.inf [Open Failed]
    C:\5d42c1deaec642d74ef4d7e66be0\update\updspapi.dll [Open Failed]
    C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp [Open Failed]
    C:\Documents and Settings\Kristen\Application Data\Adobe\Acrobat\7.0\Messages\ENU\read0600win_ENUadbe0700b.pdf [Password protected]
    C:\Documents and Settings\Kristen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed]
    C:\Documents and Settings\Kristen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed]
    C:\Documents and Settings\Kristen\ntuser.dat [Open Failed]
    C:\Documents and Settings\Kristen\ntuser.dat.LOG [Open Failed]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed]
    C:\Documents and Settings\LocalService\NTUSER.DAT [Open Failed]
    C:\Documents and Settings\LocalService\ntuser.dat.LOG [Open Failed]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat [Open Failed]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG [Open Failed]
    C:\Documents and Settings\NetworkService\NTUSER.DAT [Open Failed]
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG [Open Failed]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\Messages\ENU\RdrMsgENU.pdf [Password protected]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\Messages\RdrMsgSplash.pdf [Password protected]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\WebSearch\WebSearchENU.pdf [Password protected]
    C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig710\ENU\Data1.cab=>WebSearchENU.pdf [Password protected]
    C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig710\ENU\Data1.cab=>RdrMsgENU.pdf [Password protected]
    C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig710\ENU\Data1.cab=>RdrMsgSplash.pdf [Password protected]
    C:\WINDOWS\system32\config\DEFAULT [Open Failed]
    C:\WINDOWS\system32\config\default.LOG [Open Failed]
    C:\WINDOWS\system32\config\SAM [Open Failed]
    C:\WINDOWS\system32\config\SAM.LOG [Open Failed]
    C:\WINDOWS\system32\config\SECURITY [Open Failed]
    C:\WINDOWS\system32\config\SECURITY.LOG [Open Failed]
    C:\WINDOWS\system32\config\SOFTWARE [Open Failed]
    C:\WINDOWS\system32\config\software.LOG [Open Failed]
    C:\WINDOWS\system32\config\SYSTEM [Open Failed]
    C:\WINDOWS\system32\config\system.LOG [Open Failed]

___________________________________________________________

Infected Files
___________________________________________________________

----[ Infected Files ]------------

Malware: Trojan.Patched.CK
C:\Documents and Settings\Kristen\Local Settings\Temp\TDSS8b79.tmp

___________________________________________________________

Suspected Files
___________________________________________________________

----[ Suspected ]------------

Malware: Hidden file(s)
C:\Documents and Settings\Kristen\nah_uhgt.exe
C:\Documents and Settings\Kristen\nah_log.dat

___________________________________________________________

Results after ROUND 0
___________________________________________________________

Scan started: Monday, December 01, 2008 18:03:51
Scan duration: 0 days, 00 hours, 50 minutes, 19 seconds
Infections solved: 0
Infections left: 3
Viruses left: 2

----[ Suspected ]------------

Malware: Hidden file(s)
C:\Documents and Settings\Kristen\nah_uhgt.exe
C:\Documents and Settings\Kristen\nah_log.dat

----[ Files Still Infected ]------------

Malware: Trojan.Patched.CK
C:\Documents and Settings\Kristen\Local Settings\Temp\TDSS8b79.tmp

___________________________________________________________

Results after ROUND 1
___________________________________________________________

Scan started: Monday, December 01, 2008 18:54:41
Scan duration: 0 days, 00 hours, 00 minutes, 01 seconds
Infections solved: 0
Infections left: 3
Viruses left: 2

----[ Suspected ]------------

Malware: Hidden file(s)
C:\Documents and Settings\Kristen\nah_uhgt.exe
C:\Documents and Settings\Kristen\nah_log.dat

----[ Files Still Infected ]------------

Malware: Trojan.Patched.CK
Status: Disinfect Failed
C:\Documents and Settings\Kristen\Local Settings\Temp\TDSS8b79.tmp

___________________________________________________________

Results after ROUND 2
___________________________________________________________

Scan started: Monday, December 01, 2008 18:55:02
Scan duration: 0 days, 00 hours, 00 minutes, 00 seconds
Infections solved: 1
Infections left: 2
Viruses left: 1

----[ Files Solved ]------------

Malware: Trojan.Patched.CK
Status: Moved To Quarantine
C:\Documents and Settings\Kristen\Local Settings\Temp\TDSS8b79.tmp

----[ Suspected ]------------

Malware: Hidden file(s)
C:\Documents and Settings\Kristen\nah_uhgt.exe
C:\Documents and Settings\Kristen\nah_log.dat

___________________________________________________________

Results after ROUND 3
___________________________________________________________

Scan started: Monday, December 01, 2008 18:55:02
Scan duration: 0 days, 00 hours, 00 minutes, 00 seconds
Infections solved: 1
Infections left: 2
Viruses left: 1

----[ Files Solved ]------------

Malware: Trojan.Patched.CK
Status: Moved To Quarantine
C:\Documents and Settings\Kristen\Local Settings\Temp\TDSS8b79.tmp

----[ Suspected ]------------

Malware: Hidden file(s)
C:\Documents and Settings\Kristen\nah_uhgt.exe
C:\Documents and Settings\Kristen\nah_log.dat

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 12-2-2008 6:28 (GMT +1)

According to the logfiles have you a nasty infection. I´ll therefore suggest you post a combolog ->

Please download Combofix:

Http://download.bleepingcomputer.com/subs/combofix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Jade71
New Member

Date Joined Nov 2008
Total Posts : 8

Posted 12-2-2008 2:09 (GMT +1)

When I ran combofix it said it detected that the machine does not have the 'windows recovery console' - what is that and should I go back and do it again and install it?

Here is the log:

ComboFix 08-12-01.01 - Kristen 2008-12-02 7:49:40.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.249 [GMT -5:00]

Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe

* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\documents and settings\Kristen\nah_log.dat

c:\documents and settings\Kristen\nah_uhgt.exe

c:\windows\system32\ieupdates.exe.tmp

c:\windows\system32\TDSSosvd.dat

c:\windows\system32\winsrc.dll.tmp

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\Legacy_TDSSSERV.SYS

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))

2008-12-01 16:21 . 2008-12-01 16:21 <DIR> d-------- c:\documents and settings\Kristen\Application Data\Malwarebytes

2008-12-01 16:09 . 2008-12-01 16:09 <DIR> d-------- c:\documents and settings\James\Application Data\BullGuard

2008-12-01 15:59 . 2008-12-01 16:21 <DIR> d-------- c:\program files\Malwar

2008-12-01 15:59 . 2008-12-01 15:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-01 15:59 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-01 15:59 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-29 23:15 . 2005-02-16 11:06 218,112 --a------ c:\program files\HijackThis.exe

2008-11-29 13:05 . 2006-10-24 22:28 <DIR> d-------- c:\documents and settings\James\Application Data\Symantec

2008-11-29 13:05 . 2006-10-24 22:25 <DIR> d-------- c:\documents and settings\James\Application Data\Sonic

2008-11-29 13:05 . 2006-10-24 22:24 <DIR> d-------- c:\documents and settings\James\Application Data\IBM

2008-11-29 13:05 . 2008-11-29 13:05 <DIR> d-------- c:\documents and settings\James

2008-11-27 13:34 . 2008-11-28 16:13 <DIR> d-------- c:\documents and settings\Kristen\Application Data\BullGuard

2008-11-26 18:13 . 2008-11-27 13:27 <DIR> d-------- c:\documents and settings\Randy\Application Data\BullGuard

2008-11-26 18:13 . 2008-12-02 07:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\BullGuard

2008-11-26 18:12 . 2008-11-10 08:51 252,568 --a------ c:\windows\system32\drivers\AfwCore.sys

2008-11-26 18:11 . 2008-11-26 18:11 <DIR> d-------- c:\program files\BullGuard Ltd

2008-11-26 18:11 . 2008-03-13 09:27 52,560 --a------ c:\windows\system32\drivers\BdFileSpy.sys

2008-11-26 12:04 . 2008-11-26 12:15 <DIR> d-------- c:\program files\Windows Live Safety Center

2008-11-13 06:20 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

2008-11-13 06:20 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-10 08:51 . 2008-11-10 08:51 30,872 --a------ c:\windows\system32\drivers\afw.sys

2008-11-02 12:45 . 2008-11-02 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kodak

2008-11-02 12:37 . 2008-11-02 12:37 <DIR> d--hs---- c:\windows\ftpcache

2008-11-02 12:37 . 2008-11-04 19:22 <DIR> d-------- c:\documents and settings\Randy\Application Data\CVS

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-11-28 19:04 --------- d-----w c:\documents and settings\Randy\Application Data\Intuit

2008-11-28 19:04 --------- d-----w c:\documents and settings\Kristen\Application Data\Intuit

2008-11-28 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2008-11-26 16:34 --------- d-----w c:\program files\Common Files\Intuit

2008-11-20 03:34 296,090 ----a-w c:\documents and settings\Randy\HC43SInstaller.exe

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-04 13:22 --------- d-----w c:\program files\MySpace

2008-10-03 22:19 --------- d-----w c:\documents and settings\Randy\Application Data\MySpace

2008-10-02 04:37 --------- d-----w c:\documents and settings\Kristen\Application Data\MySpace

2008-04-27 05:11 296,089 ----a-w c:\documents and settings\Kristen\HC43SInstaller.exe

2007-07-07 21:50 0 ----a-w c:\documents and settings\Randy\HCUpgrade3.1.exe

2007-02-17 06:20 800,272 ----a-w c:\documents and settings\Randy\ppctl.dll

------- Sigcheck -------

2004-08-04 08:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe

2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe

2008-11-26 09:38 507904 3969440ba384d35317dbbdeeaae641ce c:\windows\system32\winlogon.exe

2004-08-04 08:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll

2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll

2008-11-26 09:38 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2008-11-12 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]

"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 94208]

"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2005-04-12 286821]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 217088]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-11 344064]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]

"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]

"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]

"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 745472]

"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-14 208896]

"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2002-04-12 1564737]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]

"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-11-12 304464]

"TpShocks"="TpShocks.exe" [2005-04-05 c:\windows\system32\TpShocks.exe]

"TP4EX"="tp4ex.exe" [2004-11-12 c:\windows\system32\TP4EX.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-24 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2005-04-12 19:39 110179 c:\program files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]

2005-03-18 06:07 262144 c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2004-08-12 23:11 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2006-10-24 59776]

R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2006-10-24 14208]

R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2006-10-24 11520]

R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2006-10-24 2432]

R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-10-24 4608]

R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2006-10-24 4442]

R2 BdFileSpy;BullGuard File Monitor Driver;\??\c:\windows\system32\drivers\BdFileSpy.sys [2008-11-26 52560]

R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [1980-01-01 14336]

R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [1980-01-01 14336]

R2 ibmfilter;ibmfilter;\??\c:\windows\system32\drivers\ibmfilter.sys [2005-04-27 63616]

R2 SmiHlp;SMI helper driver;\??\c:\program files\IBM fingerprint software\smihlp.sys [2005-04-12 3328]

R3 afw;Agnitum firewall driver;c:\windows\system32\DRIVERS\afw.sys [2008-11-10 30872]

R3 AfwCore;Agnitum Firewall Core Driver;\??\c:\windows\system32\Drivers\AfwCore.sys [2008-11-26 252568]

R3 Reconn;BullGuard Email Monitor;\??\c:\program files\BullGuard Ltd\BullGuard\Reconn.sys [2008-07-29 16984]

R3 TPInput;TPInput;c:\windows\system32\DRIVERS\TPInput.sys [2006-10-24 6016]

R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\DRIVERS\nsctpm11.sys [1980-01-01 14336]

S3 BGRaSvc;BGRaSvc;"c:\program files\BullGuard Ltd\BullGuard\support\bgrasvc.exe" [2008-07-29 73728]

S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.SYS [2006-10-24 12288]

S3 WAM;Wicked Access by Mark;\??\c:\program files\IBM\IBM Rapid Restore Ultra\WAM.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire

Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-04-14 04:01]

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Download - c:\program files\Bellsouth\HelpCenter\ssGet.exe 120 http://download.fastaccess.com/download/HC43SInstaller.exe

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwar\mbam.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-02 07:54:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1620)

c:\windows\system32\vrlogon.dll

c:\program files\IBM fingerprint software\ExtVapi.dll

c:\program files\Common Files\Virtual Token\psutil.dll

c:\program files\Common Files\Virtual Token\resmgr.dll

c:\program files\Common Files\Virtual Token\Remote.dll

c:\program files\Common Files\Virtual Token\passport.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\IBM fingerprint software\psfus.dll

c:\windows\system32\tphklock.dll

c:\program files\Common Files\Virtual Token\config.dll

c:\program files\Common Files\Virtual Token\LocPass.dll

c:\program files\Common Files\Virtual Token\SBioPass.dll

c:\program files\Common Files\Virtual Token\psdlg.dll

c:\program files\Common Files\Virtual Token\BGTcVer.dll

c:\program files\Common Files\Virtual Token\BTcVer.dll

- - - - - - - > 'lsass.exe'(1676)

c:\windows\system32\pwdmon.dll

------------------------ Other Running Processes ------------------------

c:\program files\Common Files\Virtual Token\vtserver.exe

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe

c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

c:\windows\system32\QCONSVC.EXE

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

c:\windows\system32\TPHDEXLG.exe

c:\windows\system32\TpKmpSvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\ati2evxx.exe

c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

c:\progra~1\ThinkPad\CONNEC~1\QCTRAY.EXE

c:\windows\system32\rundll32.exe

c:\program files\BellSouth\HelpCenter\SSGet.exe

**************************************************************************

Completion time: 2008-12-02 7:56:56 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-02 12:56:50

Pre-Run: 64,726,978,560 bytes free

Post-Run: 64,792,219,648 bytes free

210 --- E O F --- 2008-11-13 22:52:21

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 12-4-2008 8:49 (GMT +1)

How are things running now ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Jade71
New Member

Date Joined Nov 2008
Total Posts : 8

Posted 12-5-2008 4:08 (GMT +1)

Better I guess...I'm not getting re-directed when I search and it seems I can download now, but it also seems slow to start and shut down. Are you telling me that my "Mr. Nasty Virus" is gone??

Touch - you are my hero!! Thank you, thank you, but what do I do now?? Do I need to go back and download the stuff I couldn't before?? Do I need to clean up stuff??

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 12-6-2008 8:25 (GMT +1)

If bullguard come up clean after a scan - are Mr. Nasty Virus" gone smile

We´ll remove combofix, and I suggest you keep malwarebyte as a scanner.

We will also clear your existing system restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->

Uninstall ComboFix. Delete its related folders and files.

Reset your clock settings. Hide file extensions.

Hide the system/hidden files.

Also, please read this article by Tony Klein: How I got Infected in the First Place

If you have any comments or questions, feel free to post bak

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Friday, January 09, 2009 10:49 PM (GMT +1)
There are a total of 66.008 posts in 16.187 threads.
In the last 3 days there were 18 new threads and 109 reply posts. View Active Threads