1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

AxFreePorn Dialer Help

Discussion in 'Malware and Virus Removal Archive' started by ryan9867, 2007/03/19.

  1. 2007/03/19
    ryan9867

    ryan9867 Inactive Thread Starter

    Joined:
    2007/03/19
    Messages:
    7
    Likes Received:
    0
    Hello,

    I also need help removing this pesky dialer. I have already run Adaware, Spy Search, and AVG Anti Virus. It seems the removal of this is specific for each user, so here's my log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:53:19 PM, on 3/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Timbuktu Pro\tb2launch.exe
    C:\WINDOWS\System32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\NetopiaRC\Tb2RunDLL.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Timbuktu Pro\tb2pro.exe
    C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\SNA\system\SNABASE.EXE
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\Program Files\IP VPN Remote Services\Extranet_serv.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.avisbudgetneighborhood.com/budget-neighborhood/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cendantintranet.hfscorp.com/home.cfm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cendant Corporation
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = helpnow.cendant.com;
    F2 - REG:system.ini: UserInit=C:\WINDOWS\NetopiaRC\Tb2RunDLL.EXE 1,C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O4 - HKLM\..\Run: [SchedulingAgent] "mstinit.exe" /firstlogon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe "
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\RunServices: [HPl Services] hmlsvc32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://cendantintranet.hfscorp.com/home.cfm
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170186631938
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170456601375
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://mytime.cendant.com/WFC/plugins/jre-1_5_0_06-windows-i586-p.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BBD8B803-BA43-47B5-9AEF-7E8FD72468D0}: NameServer = 161.178.24.46,161.178.221.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cendant.com,budgetgroup.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cendant.com,budgetgroup.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cendant.com,budgetgroup.com
    O20 - AppInit_DLLs: arpa.dll
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
    O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
    O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\IP VPN Remote Services\Extranet_serv.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
     
    ryan9867,
    #1
  2. 2007/03/20
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi Ryan & welcome

    Please download this program to your desktop:

    http://noahdfear.geekstogo.com/FindAWF.exe

    Once saved, double click it and let it run.

    Post the log it makes.

    There will be a fair bit of work to do because I suspect several of your startup programs were overwritten by Agent.AWF trojan and will need to be replaces by known good.

    Be careful where you surf because your IE security is likely comprimised as well. Meaning most every site you visit is allowed to do whatever they want to your computer without asking.

    I don't think this one spreads across networks but it is likely a good idea not to allow remote operations untill cleaned up.

    Also...
    No real specification on what info it steals so password changes to any sensitive sites is a good idea.

    Info:

    http://www.avira.com/en/threats/section/fulldetails/id_vir/2820/tr_dldr.agent.awf.14.html

    Thanks :)
     
    Blender,
    #2


  3. to hide this advert.

  4. 2007/03/20
    ryan9867

    ryan9867 Inactive Thread Starter

    Joined:
    2007/03/19
    Messages:
    7
    Likes Received:
    0
    Thanks for the help Blender...here's the log:

    Find AWF report by noahdfear ©2006


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\SYMANT~1\BAK

    10/06/2004 07:56 PM 161,096 VPTray.exe
    1 File(s) 161,096 bytes

    Directory of C:\PROGRA~1\TIMBUK~1\BAK

    02/08/2002 09:57 PM 143,360 Tb2Logon.exe
    1 File(s) 143,360 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    06/09/2004 10:31 PM 66,680 ccApp.exe
    1 File(s) 66,680 bytes

    Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

    06/16/2004 12:53 PM 512,000 SynTPEnh.exe
    06/16/2004 12:53 PM 110,592 SynTPLpr.exe
    2 File(s) 622,592 bytes

    Directory of C:\PROGRA~1\THINKPAD\CONNEC~1\BAK

    08/18/2004 02:30 AM 708,608 QCTRAY.EXE
    08/18/2004 02:30 AM 81,920 QCWLICON.EXE
    2 File(s) 790,528 bytes

    Directory of C:\PROGRA~1\THINKPAD\UTILIT~1\BAK

    02/05/2004 03:36 AM 20,480 BMMLREF.EXE
    02/04/2004 05:39 PM 897,024 TpKmapAp.exe
    2 File(s) 917,504 bytes

    Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

    10/22/2003 12:04 AM 114,741 tfswctrl.exe
    1 File(s) 114,741 bytes

    Directory of C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\BAK

    03/10/2004 12:10 PM 94,208 TPHKMGR.exe
    1 File(s) 94,208 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    24588 Jan 25 2007 "C:\Program Files\Symantec AntiVirus\VPTray.exe "
    161096 Oct 6 2004 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe "
    24588 Jan 25 2007 "C:\Program Files\Timbuktu Pro\Tb2Logon.exe "
    143360 Feb 8 2002 "C:\Program Files\Timbuktu Pro\bak\Tb2Logon.exe "
    143360 Feb 8 2002 "C:\WINDOWS\sw\packages\Netopia Timbuktu Pro 5.0.883\Program Files\Timbuktu Pro\TB2Logon.exe "
    24588 Jan 25 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe "
    512000 Feb 14 2006 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
    512000 Jun 16 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe "
    512000 Feb 14 2006 "C:\Program Files\Synaptics\SynTP\Media\SYNTPENH.EXE "
    512000 Jun 16 2004 "C:\WINDOWS\sw\packages\IBM ThinkPad UltraNav Driver 7.5.17.12\SYNTPENH.EXE "
    512000 Feb 14 2006 "C:\Program Files\Lenovo\System Update\session\77gu08ww\SYNTPENH.EXE "
    110592 Feb 14 2006 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe "
    110592 Jun 16 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe "
    110592 Feb 14 2006 "C:\Program Files\Synaptics\SynTP\Media\SYNTPLPR.EXE "
    110592 Jun 16 2004 "C:\WINDOWS\sw\packages\IBM ThinkPad UltraNav Driver 7.5.17.12\SYNTPLPR.EXE "
    110592 Feb 14 2006 "C:\Program Files\Lenovo\System Update\session\77gu08ww\SYNTPLPR.EXE "
    65536 Dec 25 2006 "C:\Program Files\ThinkPad\ConnectUtilities\QcTray.exe "
    708608 Aug 18 2004 "C:\Program Files\ThinkPad\ConnectUtilities\bak\QCTRAY.EXE "
    81920 Aug 18 2004 "C:\Program Files\ThinkPad\ConnectUtilities\bak\QCWLICON.EXE "
    20480 Apr 20 2005 "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE "
    20480 Feb 5 2004 "C:\Program Files\ThinkPad\Utilities\bak\BMMLREF.EXE "
    20480 Feb 5 2004 "C:\WINDOWS\sw\packages\IBM Battery Maximiser Wizard 1.36a\BMMLREF.EXE "
    20480 Apr 20 2005 "C:\Program Files\Lenovo\System Update\session\1xu105u1\BMMLREF.EXE "
    856064 Jun 2 2006 "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe "
    897024 Feb 4 2004 "C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe "
    114741 Oct 22 2003 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe "
    94208 Oct 2 2006 "C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe "
    94208 Mar 10 2004 "C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe "
    94208 Mar 10 2004 "C:\WINDOWS\sw\packages\IBM ThinkPad Hotkey 1.04.0430\OSD\COMMON\TPHKMGR.EXE "
    94208 Oct 2 2006 "C:\Program Files\Lenovo\System Update\session\7avu43ww\OSD\common\tphkmgr.exe "


    end of report
     
    ryan9867,
    #3
  5. 2007/03/21
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi Ryan,

    I'll be a few minuites drawing up fix. :)
     
    Blender,
    #4
  6. 2007/03/21
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Please print these instructions out because you will be in safe mode and can't access internet for this page.

    Preperation:

    1.) Download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop.
    Do nothing with it yet.

    2.) Download: ResetProtocolDefaults.reg
    http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg
    Do nothing with it yet.

    This file is designed for this computer only! If you are not this user please do not use it! It will not work on your system because each computer requires different fix!

    3.) Attached is a file called fixawf.zip
    Download file and save it.
    Unzip it.
    You should have fixawf.bat when done.
    Do nothing with it yet.

    4.) Download ATF Cleaner by Atribune and save it to your Desktop.

    http://www.atribune.org/ccount/click.php?id=1

    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    Recycle bin

    The rest are optional - if you want to remove the lot, check "Select All ".
    Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

    If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

    When you have finished, click on the Exit button in the Main menu.

    Fixing:

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.

    1.) Locate ResetProtocolDefaults.reg
    Right click it and choose merge
    Answer Yes & OK.

    This resets your Security settings for IE.

    2.) Locate DelDomains.inf
    Right click it and choose install
    You won't see much happening. Give it a few seconds...

    This removes bad domains added to your trusted zones for IE.

    3.) Locate fixawf.bat
    Double click it and let it run.
    You will see "dos box" flash up and dissapear. Normal.

    This replaces trojaned files with good backups.

    4.) reboot to normal mode.

    5.) Please post the following:

    New Hijackthis log
    Run FindAWF again and post log.

    6.) Using Internet Explorer please do an online scan with Kaspersky Online Scanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:
        • Extended (If available otherwise Standard)
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
    • Click OK
    • Now under select a target to scan select My Computer
    • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save report button.
    • Call it Kaspersky.txt
    • Expand the arrow beside "file types" and save as .txt file.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.

    If log is too big to post here you can upload it here:

    http://www.bleepingcomputer.com/submit-malware.php?channel=19

    include link from this thread in your upload so I know who the log belongs to.


    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

    *Note 2
    If you have Spybot S & D, SpywareBlaster, IE-Spyads installed you will need to:
    Re-imunize protection in spybot
    Re-enable protection in SpywareBlaster
    Re-install IE-Spyads

    Let me know how machine is running.
    I think we'll have more work to do.

    Thanks :)
     
    Blender,
    #5
  7. 2007/03/21
    ryan9867

    ryan9867 Inactive Thread Starter

    Joined:
    2007/03/19
    Messages:
    7
    Likes Received:
    0
    OK, here is the new Hijack log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:15:00 AM, on 3/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Timbuktu Pro\tb2launch.exe
    C:\WINDOWS\System32\TPHDEXLG.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\verizon wireless\venturi\Client\ventc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\NetopiaRC\Tb2RunDLL.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Timbuktu Pro\Tb2Logon.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Timbuktu Pro\tb2pro.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.avisbudgetneighborhood.com/budget-neighborhood/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cendantintranet.hfscorp.com/home.cfm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cendant Corporation
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = helpnow.cendant.com;
    F2 - REG:system.ini: UserInit=C:\WINDOWS\NetopiaRC\Tb2RunDLL.EXE 1,C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O4 - HKLM\..\Run: [SchedulingAgent] "mstinit.exe" /firstlogon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe "
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\RunServices: [HPl Services] hmlsvc32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://cendantintranet.hfscorp.com/home.cfm
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170186631938
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170456601375
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://mytime.cendant.com/WFC/plugins/jre-1_5_0_06-windows-i586-p.exe
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cendant.com,budgetgroup.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cendant.com,budgetgroup.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cendant.com,budgetgroup.com
    O20 - AppInit_DLLs: arpa.dll
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
    O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
    O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\IP VPN Remote Services\Extranet_serv.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
     
    ryan9867,
    #6
  8. 2007/03/21
    ryan9867

    ryan9867 Inactive Thread Starter

    Joined:
    2007/03/19
    Messages:
    7
    Likes Received:
    0
    here's the new FindAWF log:


    Find AWF report by noahdfear ©2006


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\SYMANT~1\BAK

    10/06/2004 07:56 PM 161,096 VPTray.exe
    1 File(s) 161,096 bytes

    Directory of C:\PROGRA~1\TIMBUK~1\BAK

    02/08/2002 09:57 PM 143,360 Tb2Logon.exe
    1 File(s) 143,360 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    06/09/2004 10:31 PM 66,680 ccApp.exe
    1 File(s) 66,680 bytes

    Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

    06/16/2004 12:53 PM 512,000 SynTPEnh.exe
    06/16/2004 12:53 PM 110,592 SynTPLpr.exe
    2 File(s) 622,592 bytes

    Directory of C:\PROGRA~1\THINKPAD\CONNEC~1\BAK

    08/18/2004 02:30 AM 708,608 QCTRAY.EXE
    08/18/2004 02:30 AM 81,920 QCWLICON.EXE
    2 File(s) 790,528 bytes

    Directory of C:\PROGRA~1\THINKPAD\UTILIT~1\BAK

    02/05/2004 03:36 AM 20,480 BMMLREF.EXE
    02/04/2004 05:39 PM 897,024 TpKmapAp.exe
    2 File(s) 917,504 bytes

    Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

    10/22/2003 12:04 AM 114,741 tfswctrl.exe
    1 File(s) 114,741 bytes

    Directory of C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\BAK

    03/10/2004 12:10 PM 94,208 TPHKMGR.exe
    1 File(s) 94,208 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    161096 Oct 6 2004 "C:\Program Files\Symantec AntiVirus\VPTray.exe "
    161096 Oct 6 2004 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe "
    143360 Feb 8 2002 "C:\Program Files\Timbuktu Pro\Tb2Logon.exe "
    143360 Feb 8 2002 "C:\Program Files\Timbuktu Pro\bak\Tb2Logon.exe "
    143360 Feb 8 2002 "C:\WINDOWS\sw\packages\Netopia Timbuktu Pro 5.0.883\Program Files\Timbuktu Pro\TB2Logon.exe "
    66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe "
    512000 Feb 14 2006 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
    512000 Jun 16 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe "
    512000 Feb 14 2006 "C:\Program Files\Synaptics\SynTP\Media\SYNTPENH.EXE "
    512000 Jun 16 2004 "C:\WINDOWS\sw\packages\IBM ThinkPad UltraNav Driver 7.5.17.12\SYNTPENH.EXE "
    512000 Feb 14 2006 "C:\Program Files\Lenovo\System Update\session\77gu08ww\SYNTPENH.EXE "
    110592 Feb 14 2006 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe "
    110592 Jun 16 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe "
    110592 Feb 14 2006 "C:\Program Files\Synaptics\SynTP\Media\SYNTPLPR.EXE "
    110592 Jun 16 2004 "C:\WINDOWS\sw\packages\IBM ThinkPad UltraNav Driver 7.5.17.12\SYNTPLPR.EXE "
    110592 Feb 14 2006 "C:\Program Files\Lenovo\System Update\session\77gu08ww\SYNTPLPR.EXE "
    65536 Dec 25 2006 "C:\Program Files\ThinkPad\ConnectUtilities\QcTray.exe "
    708608 Aug 18 2004 "C:\Program Files\ThinkPad\ConnectUtilities\bak\QCTRAY.EXE "
    81920 Aug 18 2004 "C:\Program Files\ThinkPad\ConnectUtilities\bak\QCWLICON.EXE "
    20480 Apr 20 2005 "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE "
    20480 Feb 5 2004 "C:\Program Files\ThinkPad\Utilities\bak\BMMLREF.EXE "
    20480 Feb 5 2004 "C:\WINDOWS\sw\packages\IBM Battery Maximiser Wizard 1.36a\BMMLREF.EXE "
    20480 Apr 20 2005 "C:\Program Files\Lenovo\System Update\session\1xu105u1\BMMLREF.EXE "
    856064 Jun 2 2006 "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe "
    897024 Feb 4 2004 "C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe "
    114741 Oct 22 2003 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe "
    94208 Oct 2 2006 "C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe "
    94208 Mar 10 2004 "C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe "
    94208 Mar 10 2004 "C:\WINDOWS\sw\packages\IBM ThinkPad Hotkey 1.04.0430\OSD\COMMON\TPHKMGR.EXE "
    94208 Oct 2 2006 "C:\Program Files\Lenovo\System Update\session\7avu43ww\OSD\common\tphkmgr.exe "


    end of report
     
    ryan9867,
    #7
  9. 2007/03/21
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Looking good I think :)

    Few files I would like you to check for me.

    C:\Program Files\ThinkPad\ConnectUtilities\QcTray.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe

    Can you do a property check on those please?
    Locate file> right click it, choose "properties ".
    There *should* be a version tab.
    Click that...
    Should be a company name listed.
    Should match company name as those that are in these folders:

    C:\Program Files\ThinkPad\ConnectUtilities\bak\QCTRAY.EXE
    C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe

    I think they are both result of updates you may have done but want to make sure you don't have older version of AWF still hanging around.

    If the first two show nothing in properties...
    Scan em here please:

    http://virusscan.jotti.org/

    http://www.virustotal.com/

    Let me know what you find.

    Thanks :)
     
    Blender,
    #8
  10. 2007/03/21
    ryan9867

    ryan9867 Inactive Thread Starter

    Joined:
    2007/03/19
    Messages:
    7
    Likes Received:
    0
    OK Blender, those two files are clean! I haven't done the Kaspersky Scan yet, it was taking forever while I was at my office, so I'll scan with it tonight. I'll post the log once complete...

    Thanks again for your help!
     
    ryan9867,
    #9
  11. 2007/03/21
    ryan9867

    ryan9867 Inactive Thread Starter

    Joined:
    2007/03/19
    Messages:
    7
    Likes Received:
    0
    OK, here's the Kaspersky log file:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Wednesday, March 21, 2007 6:55:13 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 21/03/2007
    Kaspersky Anti-Virus database records: 283951
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 46876
    Number of viruses found: 6
    Number of infected objects: 17 / 0
    Number of suspicious objects: 0
    Duration of the scan process: 01:05:48

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00C40000.VBN Infected: Trojan-Downloader.Win32.Small.dmj skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04640000.VBN Infected: Exploit.Win32.IMG-WMF.u skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04A00000.VBN Infected: Backdoor.Win32.Agobot.acg skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04A00001.VBN Infected: Trojan.Win32.LowZones.bk skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05040000.VBN Infected: Backdoor.Win32.Agobot.acg skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05140000.VBN Infected: Backdoor.Win32.Agobot.acg skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05140001.VBN Infected: Backdoor.Win32.Agobot.acg skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08400000.VBN Infected: Trojan.Win32.LowZones.bk skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09F00000.VBN Infected: Trojan.Win32.LowZones.bk skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180000.VBN Infected: Trojan.Win32.LowZones.bk skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600000.VBN Infected: Trojan-Downloader.Win32.Small.dmj skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600001.VBN Infected: Trojan-Downloader.Win32.Small.dmj skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600002.VBN Infected: Trojan-Downloader.Win32.Small.dmj skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600003.VBN Infected: Trojan-Downloader.Win32.Small.dmj skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE00000.VBN Infected: Exploit.HTML.IESlice.d skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\rjewell\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\rjewell\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\rjewell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\rjewell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\rjewell\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\rjewell\Local Settings\History\History.IE5\MSHist012007032120070322\index.dat Object is locked skipped
    C:\Documents and Settings\rjewell\Local Settings\Temp\~DF9337.tmp Object is locked skipped
    C:\Documents and Settings\rjewell\Local Settings\Temp\~DF933C.tmp Object is locked skipped
    C:\Documents and Settings\rjewell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\rjewell\ntuser.dat Object is locked skipped
    C:\Documents and Settings\rjewell\NTUSER.DAT.LOG Object is locked skipped
    C:\Documents and Settings\rjewell\UserData\index.dat Object is locked skipped
    C:\Program Files\Timbuktu Pro\Activity.log Object is locked skipped
    C:\Program Files\Timbuktu Pro\Personal.tbk Object is locked skipped
    C:\Program Files\Verizon Wireless\venturi\Client\vent2.log Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\WINDOWS\$NtUninstallKB833987$\sxs.dll Object is locked skipped
    C:\WINDOWS\CSC\00000001 Object is locked skipped
    C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\etc\1.hosts Infected: Trojan.Win32.Qhost skipped
    C:\WINDOWS\system32\drivers\etc\2.hosts Infected: Trojan.Win32.Qhost skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
    ryan9867,
    #10
  12. 2007/03/22
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Looks good for the most part.

    No more rogue connection attempts, popups or slowdowns?

    Almost all the detections are in your Norton Quarentine.

    Scanner flagged 2 hosts files.
    We'll get those at the same time we get those leftover "bak" folders.

    Couple files in your Hijack log I can't get any definate info on.

    O4 - HKLM\..\RunServices: [HPl Services] hmlsvc32.exe
    O20 - AppInit_DLLs: arpa.dll

    Can you locate those files & upload it for scan at either of these sites please:

    http://virusscan.jotti.org/
    http://www.virustotal.com/

    Both files are most likely here:

    C:\Windows\system32

    Let me know results.

    Next:

    Copy the following text inside code box to a new notepad file.
    Make sure wordwrap is off.
    Save it as file name finish.bat
    As file types: bAll Files

    Code:
    @echo off

del C:\WINDOWS\system32\drivers\etc\1.hosts 
del C:\WINDOWS\system32\drivers\etc\2.hosts
del /q  "C:\Program Files\Symantec AntiVirus\bak\*.* "
rmdir /q  "C:\Program Files\Symantec AntiVirus\bak "
del /q  "C:\Program Files\Timbuktu Pro\bak\*.* "
rmdir /q  "C:\Program Files\Timbuktu Pro\bak "
del /q  "C:\Program Files\Common Files\Symantec Shared\bak\*.* "
rmdir /q  "C:\Program Files\Common Files\Symantec Shared\bak "
del /q  "C:\Program Files\Synaptics\SynTP\bak\*.* "
rmdir /q  "C:\Program Files\Synaptics\SynTP\bak "
del /q  "C:\Program Files\ThinkPad\ConnectUtilities\bak\*.* "
rmdir /q  "C:\Program Files\ThinkPad\ConnectUtilities\bak "
del /q  "C:\Program Files\ThinkPad\Utilities\bak\*.* "
rmdir /q  "C:\Program Files\ThinkPad\Utilities\bak "
del /q  "C:\WINDOWS\system32\dla\bak\*.* "
rmdir /q  "C:\WINDOWS\system32\dla\bak "
del /q  "C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\*.* "
rmdir /q  "C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak "
    Once saved, double click it and let it run.
    A "dos" box will flash up & dissapear. Normal.

    Let me know how things are running and the results from scans on those 2 files.

    Thanks :)
     
    Blender,
    #11
  13. 2007/03/22
    ryan9867

    ryan9867 Inactive Thread Starter

    Joined:
    2007/03/19
    Messages:
    7
    Likes Received:
    0
    Hey Blender!

    Everything seems to be working fine. No more disconnects, and no signs of the autodialer...

    I ran the bat file you last posted.

    I ran an expanded search with explorer and I can't find those two files you wanted me to scan...any idea how to find them??

    I can't thank you enough for helping me out. If you ever need to rent a car, let me know. I'm a mgr in Orlando for a car rental company... :)
     
    ryan9867,
    #12
  14. 2007/03/23
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Good to hear things are running well.

    Those are most likely hidden files. Eiter you will have to turn on hidden files and look for them manually or use the advanced search options from start> search.
    Windows search likely faster.

    Start> search> for files and folders> All files and folders.

    Type in file name you want to search
    Searching drive C:\

    Expand "advanced search options "

    Have checked the following:

    Search system
    Search hidden
    Search sub folders

    Then hit search

    Also you may be able to just paste in the file path into the box provided at the scan site (beside the "send/submit" button)
    Then hit submit.

    Thanks :)
     
    Blender,
    #13

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...