Still infected (seemingly with Vundo) ... Help please

Status
Not open for further replies.
A

anand_am01

Posts: 6   +0
Hello & thank you for taking the time to help.

This is my first post (after having read the relevant threads), so I'm open to guidance on posting norms, etc.

Background: I've followed the instructions on techspot.com/vb/topic58138.html; and am posting my HJT log after following these steps.

As such, I think that I did contract a Vundo; and now, after following the above instructions, I still receive alerts for Adware.Puritysys as well as an infection on the file: C:\WINDOWS\system32\drvreg.dll_old

Here's Part 1 of the HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:37 PM, on 18/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRAM FILES\SYSTERNALS\PROCESSEXPLORER\PROCEXP.EXE
C:\Program Files\Trend Micro\HijackThis\HTTM.exe

Part 2 will follow

Tx & rgds for your attention, once again
 
Still infected (seemingly with Vundo) ... can you pls. help? - Part 2

Here's Part 2:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = ocalhost:9100/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1ECE7AC5-2091-419D-BD0F-FCDB92EEBA9B} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: (no name) - {29A92273-C690-41FF-92AB-468EF44B16B4} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {62780D18-D103-03D3-323A-01F43008B839} - C:\Program Files\Mqvduhjy\neutdprc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (disabled by BHODemon)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C1AC8C15-62FC-1F2B-8B2E-48E679F00E91} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4124] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8792] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3315] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7074] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1081] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Desktop for OE] "C:\Program Files\GDS for OE\gdsoe.exe" install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Ebc] "C:\DOCUME~1\Anand\MYDOCU~1\SSTEM3~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [amsg] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6027] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6509] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3913] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6681] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8811] command /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8521] cmd /c del "C:\WINDOWS\system32\drvreg.dll_old"
O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{BF90215F-2D7B-4C84-8A24-A03BC41B95DD}"" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'Default user')
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: hp psc 1000 series.lnk.disabled
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR ProSafe VPN Client.lnk.disabled
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?cd20b42499654f789f343cf995bad7de
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?cd20b42499654f789f343cf995bad7de
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)


Part 3 follows

Tx & rgds
/AM
 
Still infected (seemingly with Vundo) ... can you pls. help? - Part 3

Thank you for your comments & guidance on Parts 1 &2.

Here's Part 3 ...

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - connectphl04.sap.com/vdesk/cachecleaner.cab#version=6010,2007,0726,1517
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\Anand\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - connectphl04.sap.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0726,1518
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - epass.toronto.ca/vdesk/terminal/urTermProxy.cab#version=5600,0,61017,0656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203342374438
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - epass.toronto.ca/vdesk/terminal/urxshost.cab#version=5600,0,61017,0703
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - epass.toronto.ca/vdesk/terminal/urxhost.cab#version=5600,0,61017,0654
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - connectphl04.sap.com/policy/download_binary.php/win32/f5syschk.cab#Version=6010,2007,0223,0322
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: winqxl32 - winqxl32.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HLIXMZGQPRS - Unknown owner - C:\DOCUME~1\Anand\LOCALS~1\Temp\HLIXMZGQPRS.exe (file missing)
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 18876 bytes


Many tx & rgds
/AM
 
@ #2

I don't see any spyware/malware present

But Spybots S&D is requesting a restart for it to clean out found files (still waiting to be automatically removed!)

Also I don't know what this file is: C:\Program Files\Mqvduhjy\neutdprc.dll
There's no such directory or file name in existance! I'd say remove it.

There are a lot of files missing messages, that's OK, because it means they're gone. (A bit of tidying up to do)

Anyway restart

And download CCleaner and clean out all the temp file stuff
 
I'm particularly concerned about the following, as I'm not able to associate these with any application that I've used/ installed voluntarily ...

O2 - BHO: (no name) - {62780D18-D103-03D3-323A-01F43008B839} - C:\Program Files\Mqvduhjy\neutdprc.dll
O4 - HKLM\..\RunOnce: [SpybotDeletingA2] command /c del "C:\WINDOWS\system32\drvreg.dll_old"

just thinking aloud ...

Tx &rgds
/AM
 
Yes as I said remove that one C:\Program Files\Mqvduhjy\neutdprc.dll
And upon restart Spybots S&D will remove the other

I checked through #3 now (as I commented already above on others)
All files seem ok (I must say seem as I'm very experienced but not a specialist in Spyware)
Also I'm not commenting on all the *.cab files, as they're out of my league (as they have many files in them)

Generally looks Spyware clean, in my view.
By the way I wouldn't use Norton (too resource hungry) and your old McAfee still wants to update (even McAfee is too resource hungry)
Personnally I say just use AVG Free, it's a lot easier, less mucking around too.
 
If you suspect malware because your laptop is slow then NO FREAKING WONDER your computer is loading a bunch of stuff at boot. I've never seen an HJT log so long before ever. I can't say the stuff it loads is crap, but sweet Tog I have fewer programs load on my desk top, and I probably have more memory than you.

If that were my laptop, I'd take a long hard look at the programs I need and uninstall a bunch of that stuff.
 
You may want to post a fresh Hijackthis log. There are quite a few things we could clean up.

Save the Notepad file to your desktop -> then click the attach icon above your next reply (it looks like a paperclip) navigate to the notepad file and select attach
 
Before stopping some of those items from running on startup, you are still infected

Did you follow the instructions for Combofix -> if so please attach the log

if not

Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • Type "1" (and Enter) to start the fix.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
 
If you´re infected with a Vundo try FixVundo from Symantec Corporation. It´s a stand-alone utility that will erase all Vundos in your system.
 
fyi

i got rid of Vundo from a friend's machine some time back. Here's some additional info i discovered in that process that might augment your effort to fix it (as it did for me)

Vundo is sneaky. I found that
  1. It hacks its way into several different startup methods available through Windows
  2. Each time it starts it creates a new startup executable and gives it a different filename (so you can't simply search by filename to find all instances of the executable)
I managed to finally nail it by using Autoruns a tool which displays all the startup entries it finds on your Windows machine. I discovered that although the filename keeps changing, at least in the Vundo variant in my case, the filenames fit a pattern I could spot. I did a quick look at your HJT log and spotted that familiar pattern:

Code: 
O2 - BHO: (no name) - {1ECE7AC5-2091-419D-BD0F-FCDB92EEBA9B} - C:\WINDOWS\system32\[B][U]mllmm.dll[/U][/B] 
O2 - BHO: (no name) - {29A92273-C690-41FF-92AB-468EF44B16B4} - C:\WINDOWS\system32\[B][U]sstqq.dll[/U][/B]
Note the pattern in the .dll filenames.
And bad news is: I also spotted C:\Program Files\SecCenter\scprot4.exe in your log I believe this is a different infection, not Vundo. So, you have multiple infections to clean after.

but as to vundo, in addition to removal scripts, suggest you run Autoruns and look for startups with filenames matching that filename pattern. To be cautious you can first uncheck the box for the entry (disables the startup entry) AND rename the file it is referencing. To finally be rid of it, right click on the entry and click Delete to delete entry. Then delete the file.
 
Combofix can also remove vundo

as well as

vundofix and virtumondobegone (both links in Step 10 in the preliminary removal instructions stickied above this section)

Thats why I posted combofix instructions.

However, you are right there are multiple infections in that log, looks like a lot of infections have already been removed (The files, not the registry entries)
 
Hey "Cinders", You hit in on the head!!! That start up crap is insane! I have 0 startup programs and I don't use any security crap. Guess what? No infections!!!
Learn how to manage your sys. Every once in awhile I check. I knew the other day I had something and I deleted it pronto. I don't get some of you people... If you are that Fuc*dup, reformat!!! why waste all your time and days trying to figure out if you are clean only to always wonder in the back of your mind if you are still infected??? As far as losing your inf, create a partition on your hd and keep it there and after you reinstall there it is.... I keep all my software that I use on a 5 gig partition and if I reinstall it stays as is and I run the programs and don't have to worry about looking for disks. You got to come up with a plan man!!!
 
Some of the startups were related to Spyware/Virus scan tools, related to removing these bugs.
Some of the startups were related to actual bugs.

Once the computer is clean, it would be a good idea to run Startup and CCleaner
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
786
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back