TechSpot

Still infected (seemingly with Vundo) ... Help please

By anand_am01
Feb 18, 2008
Topic Status:
Not open for further replies.
  1. Hello & thank you for taking the time to help.

    This is my first post (after having read the relevant threads), so I'm open to guidance on posting norms, etc.

    Background: I've followed the instructions on techspot.com/vb/topic58138.html; and am posting my HJT log after following these steps.

    As such, I think that I did contract a Vundo; and now, after following the above instructions, I still receive alerts for Adware.Puritysys as well as an infection on the file: C:\WINDOWS\system32\drvreg.dll_old

    Here's Part 1 of the HJT Log
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:14:37 PM, on 18/02/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\ThinkVantage\AMSG\Amsg.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
    C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
    C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
    C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
    C:\PROGRAM FILES\SYSTERNALS\PROCESSEXPLORER\PROCEXP.EXE
    C:\Program Files\Trend Micro\HijackThis\HTTM.exe

    Part 2 will follow

    Tx & rgds for your attention, once again
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    So far looks clean
  3. anand_am01

    anand_am01 Newcomer, in training Topic Starter

    Still infected (seemingly with Vundo) ... can you pls. help? - Part 2

    Here's Part 2:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = ocalhost:9100/proxy.pac
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1ECE7AC5-2091-419D-BD0F-FCDB92EEBA9B} - C:\WINDOWS\system32\mllmm.dll (file missing)
    O2 - BHO: (no name) - {29A92273-C690-41FF-92AB-468EF44B16B4} - C:\WINDOWS\system32\sstqq.dll (file missing)
    O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {62780D18-D103-03D3-323A-01F43008B839} - C:\Program Files\Mqvduhjy\neutdprc.dll
    O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (disabled by BHODemon)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {C1AC8C15-62FC-1F2B-8B2E-48E679F00E91} - (no file)
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
    O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
    O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA2] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC4124] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA8792] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC3315] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA7074] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC1081] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Google Desktop for OE] "C:\Program Files\GDS for OE\gdsoe.exe" install
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Ebc] "C:\DOCUME~1\Anand\MYDOCU~1\SSTEM3~1\rundll.exe" -vt yazb
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [amsg] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunOnce: [SpybotDeletingB6027] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD6509] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB3913] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD6681] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB8811] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD8521] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
    O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{BF90215F-2D7B-4C84-8A24-A03BC41B95DD}"" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'Default user')
    O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: hp psc 1000 series.lnk.disabled
    O4 - Global Startup: hpoddt01.exe.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NETGEAR ProSafe VPN Client.lnk.disabled
    O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?cd20b42499654f789f343cf995bad7de
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?cd20b42499654f789f343cf995bad7de
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)


    Part 3 follows

    Tx & rgds
    /AM
  4. anand_am01

    anand_am01 Newcomer, in training Topic Starter

    Still infected (seemingly with Vundo) ... can you pls. help? - Part 3

    Thank you for your comments & guidance on Parts 1 &2.

    Here's Part 3 ...

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - connectphl04.sap.com/vdesk/cachecleaner.cab#version=6010,2007,0726,1517
    O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\Anand\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab
    O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - connectphl04.sap.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0726,1518
    O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - epass.toronto.ca/vdesk/terminal/urTermProxy.cab#version=5600,0,61017,0656
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203342374438
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - epass.toronto.ca/vdesk/terminal/urxshost.cab#version=5600,0,61017,0703
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
    O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - epass.toronto.ca/vdesk/terminal/urxhost.cab#version=5600,0,61017,0654
    O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - connectphl04.sap.com/policy/download_binary.php/win32/f5syschk.cab#Version=6010,2007,0223,0322
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O20 - Winlogon Notify: winqxl32 - winqxl32.dll (file missing)
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HLIXMZGQPRS - Unknown owner - C:\DOCUME~1\Anand\LOCALS~1\Temp\HLIXMZGQPRS.exe (file missing)
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
    O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
    O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
    O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 18876 bytes


    Many tx & rgds
    /AM
  5. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    @ #2

    I don't see any spyware/malware present

    But Spybots S&D is requesting a restart for it to clean out found files (still waiting to be automatically removed!)

    Also I don't know what this file is: C:\Program Files\Mqvduhjy\neutdprc.dll
    There's no such directory or file name in existance! I'd say remove it.

    There are a lot of files missing messages, that's OK, because it means they're gone. (A bit of tidying up to do)

    Anyway restart

    And download CCleaner and clean out all the temp file stuff
  6. anand_am01

    anand_am01 Newcomer, in training Topic Starter

    I'm particularly concerned about the following, as I'm not able to associate these with any application that I've used/ installed voluntarily ...

    O2 - BHO: (no name) - {62780D18-D103-03D3-323A-01F43008B839} - C:\Program Files\Mqvduhjy\neutdprc.dll
    O4 - HKLM\..\RunOnce: [SpybotDeletingA2] command /c del "C:\WINDOWS\system32\drvreg.dll_old"

    just thinking aloud ...

    Tx &rgds
    /AM
  7. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Yes as I said remove that one C:\Program Files\Mqvduhjy\neutdprc.dll
    And upon restart Spybots S&D will remove the other

    I checked through #3 now (as I commented already above on others)
    All files seem ok (I must say seem as I'm very experienced but not a specialist in Spyware)
    Also I'm not commenting on all the *.cab files, as they're out of my league (as they have many files in them)

    Generally looks Spyware clean, in my view.
    By the way I wouldn't use Norton (too resource hungry) and your old McAfee still wants to update (even McAfee is too resource hungry)
    Personnally I say just use AVG Free, it's a lot easier, less mucking around too.
  8. Cinders

    Cinders TechSpot Chancellor Posts: 1,313   +12

    If you suspect malware because your laptop is slow then NO FREAKING WONDER your computer is loading a bunch of stuff at boot. I've never seen an HJT log so long before ever. I can't say the stuff it loads is crap, but sweet Tog I have fewer programs load on my desk top, and I probably have more memory than you.

    If that were my laptop, I'd take a long hard look at the programs I need and uninstall a bunch of that stuff.
  9. anand_am01

    anand_am01 Newcomer, in training Topic Starter

    Thank you for your insights, folks

    Thank you for your insights, folks.
    You've been of immense help.
  10. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    You may want to post a fresh Hijackthis log. There are quite a few things we could clean up.

    Save the Notepad file to your desktop -> then click the attach icon above your next reply (it looks like a paperclip) navigate to the notepad file and select attach
  11. anand_am01

    anand_am01 Newcomer, in training Topic Starter

    HJT Log

    Updated HJT Log uploaded

    Attached Files:

     
  12. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Before stopping some of those items from running on startup, you are still infected

    Did you follow the instructions for Combofix -> if so please attach the log

    if not

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
  13. Buzinas

    Buzinas Newcomer, in training Posts: 16

    If you´re infected with a Vundo try FixVundo from Symantec Corporation. It´s a stand-alone utility that will erase all Vundos in your system.
  14. Buzinas

    Buzinas Newcomer, in training Posts: 16

  15. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,366   +167

    fyi

    i got rid of Vundo from a friend's machine some time back. Here's some additional info i discovered in that process that might augment your effort to fix it (as it did for me)

    Vundo is sneaky. I found that
    1. It hacks its way into several different startup methods available through Windows
    2. Each time it starts it creates a new startup executable and gives it a different filename (so you can't simply search by filename to find all instances of the executable)
    I managed to finally nail it by using Autoruns a tool which displays all the startup entries it finds on your Windows machine. I discovered that although the filename keeps changing, at least in the Vundo variant in my case, the filenames fit a pattern I could spot. I did a quick look at your HJT log and spotted that familiar pattern:

    Code:
    O2 - BHO: (no name) - {1ECE7AC5-2091-419D-BD0F-FCDB92EEBA9B} - C:\WINDOWS\system32\[B][U]mllmm.dll[/U][/B] 
    O2 - BHO: (no name) - {29A92273-C690-41FF-92AB-468EF44B16B4} - C:\WINDOWS\system32\[B][U]sstqq.dll[/U][/B]
    Note the pattern in the .dll filenames.
    And bad news is: I also spotted C:\Program Files\SecCenter\scprot4.exe in your log I believe this is a different infection, not Vundo. So, you have multiple infections to clean after.

    but as to vundo, in addition to removal scripts, suggest you run Autoruns and look for startups with filenames matching that filename pattern. To be cautious you can first uncheck the box for the entry (disables the startup entry) AND rename the file it is referencing. To finally be rid of it, right click on the entry and click Delete to delete entry. Then delete the file.
  16. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Combofix can also remove vundo

    as well as

    vundofix and virtumondobegone (both links in Step 10 in the preliminary removal instructions stickied above this section)

    Thats why I posted combofix instructions.

    However, you are right there are multiple infections in that log, looks like a lot of infections have already been removed (The files, not the registry entries)
  17. wanna be geek

    wanna be geek Newcomer, in training Posts: 96

    Hey "Cinders", You hit in on the head!!! That start up crap is insane! I have 0 startup programs and I don't use any security crap. Guess what? No infections!!!
    Learn how to manage your sys. Every once in awhile I check. I knew the other day I had something and I deleted it pronto. I don't get some of you people... If you are that Fuc*dup, reformat!!! why waste all your time and days trying to figure out if you are clean only to always wonder in the back of your mind if you are still infected??? As far as losing your inf, create a partition on your hd and keep it there and after you reinstall there it is.... I keep all my software that I use on a 5 gig partition and if I reinstall it stays as is and I run the programs and don't have to worry about looking for disks. You got to come up with a plan man!!!
  18. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Some of the startups were related to Spyware/Virus scan tools, related to removing these bugs.
    Some of the startups were related to actual bugs.

    Once the computer is clean, it would be a good idea to run Startup and CCleaner
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.