Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

help please backdoor trojan keeps coming back

6320 Views 28 Replies 3 Participants Last post by  seth69
S
help please it keeps coming back when ive cleaned deleted it many times
http://img366.imageshack.us/img366/7034/trojanov9.jpg

together with this error
http://img373.imageshack.us/img373/5444/mutexpn6.jpg
Save
Like
Status
Not open for further replies.
1 - 15 of 29 Posts
S
Logfile of HijackThis v1.99.1
Scan saved at 10:58:54 AM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
D:\Application\Utorrent\utorrent.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.np.edu.sg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.108.125.98:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [BitTorrent] "D:\bittorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
See less See more
Save
Like
S
"Administrator" - 07-01-01 11:17:19.21 Service Pack 2
ComboFix 06-12-29W-BetaE2 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

e:\autorun.inf
C:\INSTALL.LOG
f:\autorun.inf" . . . . failed to delete

((((((((((((((((((((((((((((((( Files Created from 2006-12-01 to 2007-01-01 ))))))))))))))))))))))))))))))))))

2007-01-01 10:58 d-------- C:\Program Files\Hijackthis
2006-12-31 14:27 d-------- C:\WINDOWS\pss
2006-12-31 09:31 d--h-c--- C:\WINDOWS\ie7
2006-12-31 09:31 d-------- C:\WINDOWS\WBEM
2006-12-31 09:31 d-------- C:\WINDOWS\system32\en-US
2006-12-31 09:29 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-31 09:28 d-------- C:\WINDOWS\network diagnostic
2006-12-26 22:40 155,648 --a------ C:\WINDOWS\system32\libssl32.dll
2006-12-04 17:24 d-------- C:\DOCUME~1\S10034~3\.grasp_settings
2006-12-04 17:23 d-------- C:\RRBACK~1\DOCUME~1\S10034~3\APPLIC~1\ThinkVantage
2006-12-04 17:20 d---s---- C:\DOCUME~1\S10034~3\UserData
2006-12-04 17:20 d-------- C:\DOCUME~1\S10034~3\Bluetooth Software
2006-12-04 17:20 d-------- C:\DOCUME~1\S10034~3\APPLIC~1\ThinkVantage
2006-12-04 17:20 d-------- C:\DOCUME~1\S10034~3\APPLIC~1\Symantec
2006-12-04 17:20 d-------- C:\DOCUME~1\S10034~3\APPLIC~1\Sun
2006-12-04 17:20 d-------- C:\DOCUME~1\S10034~3\APPLIC~1\IBM
2006-12-04 17:20 d-------- C:\DOCUME~1\S10034~3\APPLIC~1\Google
2006-12-04 17:20 d-------- C:\DOCUME~1\S10034~3\APPLIC~1\Apple Computer

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-01 11:22 -------- d-------- C:\Program Files\symantec antivirus
2007-01-01 11:20 -------- d-------- C:\Documents and Settings\Administrator\Application Data\utorrent
2006-12-31 09:26 -------- d-------- C:\Program Files\java
2006-12-31 09:16 5427 --a------ C:\WINDOWS\system32\egathdrv.sys
2006-12-07 14:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-30 13:34 -------- d-------- C:\Program Files\jgrasp
2006-11-29 23:41 327680 -ra------ C:\WINDOWS\system32\grdupdater.exe
2006-11-24 19:26 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-11-15 15:47 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\microsoft
2006-11-12 20:03 2829 --a------ C:\WINDOWS\war3unin.pif
2006-11-12 20:03 139264 --a------ C:\WINDOWS\war3unin.exe
2006-11-08 17:05 -------- d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2006-11-08 13:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 22:53 1220608 -ra------ C:\WINDOWS\system32\clubbox.exe
2006-11-02 17:29 61440 --a------ C:\WINDOWS\system32\nod.dll
2006-10-24 22:53 122880 -ra------ C:\WINDOWS\system32\downengine.dll
2006-10-19 21:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 20:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 20:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 20:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitTorrent"="\"D:\\bittorrent\\bittorrent.exe\" --force_start_minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TpShocks"="TpShocks.exe"
"TP4EX"="tp4ex.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"suScheduler"="C:\\Program Files\\ThinkVantage\\SystemUpdate\\UCLauncher.exe /SCHEDULER"
"LPManager"="C:\\PROGRA~1\\THINKV~2\\PrdCtr\\LPMGR.exe"
"AMSG"="C:\\Program Files\\ThinkVantage\\AMSG\\Amsg.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"cssauth"="\"C:\\Program Files\\IBM ThinkVantage\\Client Security Solution\\cssauth.exe\" silent"
"PDService.exe"="\"C:\\Program Files\\IBM ThinkVantage\\SafeGuard PrivateDisk\\pdservice.exe\""
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"ACTray"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\ACTray.exe"
"ACWLIcon"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\ACWLIcon.exe"
"PWRMGRTR"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~2\\VPTray.exe"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"Task"="C:\\DOCUME~1\\ADMINI~1\\taskmgr.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Shell\Open\command Boot.exe e

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\autoplay.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6be0f5c5-0807-11db-880a-00130210cb51}]
Shell\Auto\command RavMonE.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8cf84025-6aeb-11db-88e3-0014a4d6d952}]
Shell\Auto\command RavMonE.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d060c008-7509-11db-8901-0014a4d6d952}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Shell\Open\command G:\Boot.exe e

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da70718e-7a8a-11db-8911-0014a4d6d952}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Shell\Open\command G:\Boot.exe e

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fab033f4-e605-11da-87ce-00130210cb51}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Shell\Open\command G:\Boot.exe e

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\PMTask.job

Completion time: 07-01-01 11:25:09.43
See less See more
Save
Like
S
ok thanks ill wait :)
Save
Like
S
i use thumb drive but it was weeks ago so they were not connected during combofix
Save
Like
S
no one can help me??
Save
Like
S
ive searched for both files including in hidden folders + system + all drives and no results :(
Save
Like
S
/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2007-01-02, 14:35:28, Auto-clean mode specified.
2007-01-02, 14:35:28, Running scanner "C:\sysclean\TSC.BIN"...
2007-01-02, 14:36:05, Scanner "C:\sysclean\TSC.BIN" has finished running.
2007-01-02, 14:36:05, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Tue Jan 02 2007 14:35:28

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 822) [success]

Complete time : Tue Jan 02 2007 14:36:05
Execute pattern count(3029), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-01-02, 14:38:17, An error was detected on "D:\Downloads\(MUGEN) ????? ~????????????~ ??(MG-007)@Burn.U??AVI\*.*": The filename, directory name, or volume label syntax is incorrect.
2007-01-02, 14:38:17, An error was detected on "D:\Downloads\(??caribbeancom)?????~?????????????~sogood??~??18p2p\*.*": The filename, directory name, or volume label syntax is incorrect.
2007-01-02, 14:38:29, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2007-01-02, 14:38:29, An error was detected on "E:\System Volume Information\*.*": Access is denied.
2007-01-02, 15:01:48, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/2/2007 14:38:30
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 155 (148263 Patterns) (2007/01/01) (415500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

82325 files have been read.
82325 files have been checked.
77948 files have been scanned.
252751 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/2/2007 15:01:47
---------*---------*---------*---------*---------*---------*---------*---------*
2007-01-02, 15:01:48, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/2/2007 14:38:30
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 155 (148263 Patterns) (2007/01/01) (415500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

82325 files have been read.
82325 files have been checked.
77948 files have been scanned.
252751 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/2/2007 15:01:47 23 minutes 16 seconds (1396.47 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-01-02, 15:01:48, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/2/2007 14:38:30
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 155 (148263 Patterns) (2007/01/01) (415500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

82325 files have been read.
82325 files have been checked.
77948 files have been scanned.
252751 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/2/2007 15:01:47 23 minutes 16 seconds (1396.47 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-01-02, 15:01:48, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.
2007-01-02, 15:06:09, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/2/2007 15:01:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 155 (148263 Patterns) (2007/01/01) (415500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean

5676 files have been read.
5676 files have been checked.
4202 files have been scanned.
22952 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/2/2007 15:06:09
---------*---------*---------*---------*---------*---------*---------*---------*
2007-01-02, 15:06:09, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/2/2007 15:01:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 155 (148263 Patterns) (2007/01/01) (415500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean

5676 files have been read.
5676 files have been checked.
4202 files have been scanned.
22952 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/2/2007 15:06:09 4 minutes 19 seconds (259.28 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-01-02, 15:06:09, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/2/2007 15:01:48
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 155 (148263 Patterns) (2007/01/01) (415500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\sysclean

5676 files have been read.
5676 files have been checked.
4202 files have been scanned.
22952 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/2/2007 15:06:09 4 minutes 19 seconds (259.28 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-01-02, 15:06:09, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.
2007-01-02, 15:06:10, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/2/2007 15:06:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 155 (148263 Patterns) (2007/01/01) (415500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\sysclean

10 files have been read.
10 files have been checked.
10 files have been scanned.
10 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/2/2007 15:06:10
---------*---------*---------*---------*---------*---------*---------*---------*
2007-01-02, 15:06:10, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/2/2007 15:06:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 155 (148263 Patterns) (2007/01/01) (415500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\sysclean

10 files have been read.
10 files have been checked.
10 files have been scanned.
10 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/2/2007 15:06:10 0.05 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-01-02, 15:06:10, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 1/2/2007 15:06:09
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 155 (148263 Patterns) (2007/01/01) (415500)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\sysclean

10 files have been read.
10 files have been checked.
10 files have been scanned.
10 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/2/2007 15:06:10 0.05 seconds has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-01-02, 15:06:10, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

err after i rebooted and on my anti virus the auto protect thing comes up again but thois time with more trojan cleaned, is my case hopeless?
See less See more
Save
Like
S
i have a f drive which is for CDs but file autoplay.exe cant be found

mine is using symantec antivirus and the auto protect functions brings up this
--> http://img366.imageshack.us/img366/7034/trojanov9.jpg
except that there were 5 backdoor.trojans auto*cleaned today rather than the usual 3 which u can see at the link. The auto protect box comes out randomly and the mutex error as well
--> http://img373.imageshack.us/img373/5444/mutexpn6.jpg

Heres the new combo fix:

Attachments

Save
Like
S
g drive is for thumb drive
i finished what u told me to do but i get this error
windows cannot find C:\DOCUME~1\ADMINI~1\taskmgr.exe at the startup
actually i had this error before but i pasted the taskmgr.exe at that location and since then
my task manager always come up during startup (this was before)
Save
Like
S
ya double click on seth69 i did it, nope no thumb drive connected past few weeks
Save
Like
S
look file attached:

Attachments

Save
Like
S
error still occurs after restart
on startup auto protect shows only 1 file cleaned which is the unknown text file
Save
Like
S
ya i unticked load startup items
Save
Like
S
error still shows up :(
Save
Like
1 - 15 of 29 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top