I am experiencing a slowdown in my computer lately particularly while booting up. I already did the following:

freed up 50% of hdd space
ran registry mechanic
defragment
ran an antivirus

However, this wasn't the only problem. An Internet Explorer thing pops up a few minutes after bootup asking whether to work offline or connect which is weird since I'm not always online. Occassionally a problem also occurs when I connect to the Internet where a lot of Internet Explorer windows pop up. I don't use IE since I'm a Firefox user.

How can I fix this?

I'm using Windows XP SP2.

Unfortunately (since we're all stuck with IE) anything that bites IE browser, will drag down your system even if you use Firefox.
You've got spyware/trojans of some sort and it got to you through IE ( possibly unpatched ).
An av program and an anti-spyware program are not, necessarily, one and the same.
So first go here : http://www.lavasoftusa.com/
and here : http://www.safer-networking.org/en/index.html
and get spyware removal tools.

Run them and post back the results.

edit : If you have't updated your system do so now.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) too. It's a spyware blocker that will help keep unwanted things off your computer.

:) Cricket

Using Spybot I found a number of adwares. The biggest problem adware is Smitfraud since it's a bit too tough to remove. I'm currently researching on ways to fix.

Smitfraud is tough to get rid of.
Back up any data you need to keep and reformat is what I've ended up doing.
We do have a thread on removing it but it's a bear : http://forum.pcmech.com/showthread.php?t=180387&highlight=smitfraud+removal

Read the link that pam123 provided and I didn't like what I gathered. I guess the fastest way to get rid of Smitfraud is a reformat.

It is possible to remove Smitfraud, but if you can't afford to waste time fighting with it then a reformat and reinstall will get your system back in shape faster.

:) Cricket

Smitfraud, which is actually variants of the Zlob trojan, is not so tough to fix if it is by itself and the proper tool is used. But as is often the case, several threats may come along with it and there are some infections like Viking /Lineage originating out of China that really are a bear.

I don't know why the person in the other thread thinks SmitfraudFix must be paid for to work--perhaps he clicked on an ad for another commercial scanner instead of the download link--but SmitFraudFix is very effective if the zlob variant is not brand new. Zlob constantly changes, but SmitfraudFix does the best job of keeping up and gets updated often--I've seen it get updated three times in one day.

Plus the log will show the critical registry key zlob uses, even if it doesn't know about it to fix it.

So JC00, if you haven't already reinstalled, let me know and I'll see what I can do. Or run option #1 and post the log SmitFraudFix makes.

Another general scanner that you can use for free that is fairly new is SuperAntiSpyware. I've been in the Spybot and AdAware camp for years, but I haven't seen them be near as effective now as SAS and AVG AntiSpyware (formerly ewido). I've been impressed to see SAS clear out zlob and Wareout, the latter of which is simlar and basically a rootkit.

BTW, Smitfraud typically gets installed when you are told you can't watch a certain video without installing a codec--such as IntCodec--but the Codec is actually the Zlob trojan and the video would have played anyway.

Another general scanner that you can use for free that is fairly new is SuperAntiSpyware. I've been in the Spybot and AdAware camp for years, but I haven't seen them be near as effective now as SAS and AVG AntiSpyware (formerly ewido). I've been impressed to see SAS clear out zlob and Wareout, the latter of which is simlar and basically a rootkit.Never heard of SuperAntiSpyware before...sounds interesting and something I'd be interested in trying. Got a link to a review and a download page?

:) Cricket

Sure, here's the link, sorry bout that: http://www.superantispyware.com/

Didn't really have a link handy for reviews but found a few. These two aren't all that favorable, but they are comparing the commercial version to other commercial apps and I'll comment on those in a bit:

http://www.pcmag.com/article2/0,1895,2127215,00.asp
http://techsupportalert.com/issues/issue144.htm#Section_2.1

For a review of the free version by someone who deals with malware "in the field": http://www.castlecops.com/r420-SUPERAntiSpyware.html

An older review of the Pro version: http://www.wilderssecurity.com/showthread.php?t=149519

I hang around security forums that analyse HijackThis logs and use mostly freeware tools and I see it used a lot. I don't know if it's fair to compare it to SpySweeper and judge it on whether or not it removes keyloggers. It seems to do a good job at removal, and I took note of it in the following thread where Spylocked (a Smitfraud variant) and Wareout were fixed after a SAS run--altho Kaspersky may have had something to do with it too: http://forum.kaspersky.com/index.php?showtopic=35744&view=findpost&p=319232

I take it by that that it cleans Smitfraud and some other families of malware better than some other free scanners. Franky I've resisted trying it out myself because I've already got Spybot, Adaware and ewido and don't ever get infected to test it. But I did recently install it, just trying to find the time to give it a test run.

What I find interesting and potentially very useful is the Repairs tab when you click on Performance. A lot of malware now will mess with registry permissions, policies, Task Manager, and a whole host of other parts of the system that is listed there. Haven't seen it in action so don't know how well it works, but am itching to try it.

Cricket, let me know how you like it if you give it a try. They are still relatively new but think will only get better and another cleaning weapon in the arsenal.

Got to be careful about names here...

Super spyware remover is listed on spywarewarrior website as rogue product. Have not heard of super-antispyware, and they do not list it, so I would like to learn more.


-Kev

I haven't reformatted yet and I'll definitely want to try removing it without having to reformat.

I'm currently administering a bunch of computers using this laptop with the Smitfraud in it and I just saw in one of the computers an IE window with something like a 6699.com or something that popped up. The computers that I am administering are not connected to the Internet but I do use my laptop to connect to them usually using a vnc software.

Is it possible that the laptop has infected one of the computers already.

This is getting worse every second.

I've been doing some googling and stumbled upon this http://forums.spybot.info/showthread.php?t=14058 forum that discussed the smitfraud removal. Can I use the discussion to remove smitfraud?

I've been doing some googling and stumbled upon this http://forums.spybot.info/showthread.php?t=14058 forum that discussed the smitfraud removal. Can I use the discussion to remove smitfraud?Give it a try.

:) Cricket

I respectfully disagree with Cricket and would advise against going against this on your own if you are going to just run ComboFix. Every system is different and nowdays malware can be specific to each machine. You may get lucky and get fixed up in one shot as in that thread, but there also may be more to do as in this one:
http://www.bleepingcomputer.com/forums/index.php?showtopic=92182&hl=Toolbar888

ComboFix is meant to be used under supervision--I am in touch with its devolper and know miekiemoes that helps some with development quite well, and know they would advise the same. It's a great tool for some newer infections, but is still somewhat experimental. For example, there have been occasions when internet connection has been lost because of incorrect removal of an LSP. So as a word of caution if you feel you should run ComboFix, download WinsockFix first: http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

If connection is lost, this will rebuild TCP/IP from scratch. You may very well not need it, but I can't tell without looking at a log like HijackThis to see what else is on your system.

If you want to give ComboFix a try, please post it's log back here. If you want to take this more in order and one step at a time, keep the notebook away from other machines until it is clean and do the following:

Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.


These are fairly long logs, so it may take more than one post to get them all, but it is a fairly good snapshot of what may need attending to on a person's system and we can take it from there.

My apologies if I'm stepping on any toes here. I'm just used to working logs this way--giving feedback and instructions specific to one person's machine. If this is unacceptable let me know. I come from the same school as Lobos and am (or was, we also haven't heard from him in quite some time) acquainted with him as well.

I haven't tried the fixes yet since I'm currently busy administering our POSs but I personally want to administer the computers via my laptop. Unfortunately, this laptop has Smitfraud. Is it safe to use this laptop on the LAN of the computers? Can it spread through the network?

That's hard to say without seeing a log. The type of Smitfraud you have is mostly an adware trojan so it is possible that it won't spread. But rule of thumb is to keep an infected machine away from connecting to others. Most malware now does more than one thing and it's getting more common for infections to add victims to a botnet.

The Chinese family of infections I mentioned has gotten very tricky, including using flash drives to spread itself. They use the filename of Autorun.vbs or similar to trick you into thinking its the normal feature when it's not. Among other ways, but also just by right clicking and choosing "Explore" the infection runs. It can also infect a standard hard drive in the same way, so if your laptop has that infection it could spread it around.

I'm not saying this is your situation and that you have that kind of infection, but it's possible. If you have a good anitvirus running and are properly firewalled and got lucky to only have a single infection, it might be OK.

Oldkid is sort of right but I can tell you now that any sysadmin reading this just had cardiac failure.
As annoying and time consuming as backing up, formatting and reinstalling on your laptop will be it's as nothing compared to what you'll be in for if you're wrong and smitfraud gets into the network.

Actually, I agree with that. If it were me, I wouldn't take a chance of connecting the laptop to any sort of network. What Spybot is calling Smitfraud is actually a variant of Conhook/Vundo, rather than zlob. It's fairly common and when successfully removed victims seem to be in pretty good shape. However, it uses rootkits and/or rootkit techniques and continually morphing, so the only way to be sure it is gone and that something more serious and stealthy isn't left behind, is to reformat. Especially in a business environment I wouldn't hesitate to do that.

It may be a bit off-topic, but those Autorun viruses are an administrative nightmare and something to look out for. FYI, there are several variants out, here's a description of two:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-031214-4425-99&tabid=2
http://www.viruslist.com/en/viruses/encyclopedia?virusid=147355

Here's a quote from Tony Klein's article on autostart locations that is mostly posted in private forums:
Autorun.inf files

Although the great majority of Flash drives do not automatically autorun on insertion, the addition of an autorun.inf file can cause them to spread infection. Accessing an infected flash drive through My Computer (Clicking on the drive) will cause that autorun.inf to run.

If the autorun.inf is written a certain way, when the autoplay screen comes up on insertion, the user can be tricked into running a nasty file. By clicking an icon in the "use this program to run"... dialog, a non legit program added to the autorun.inf file on that drive can be run:

shell\open\command=trojan.exe

At least as insidiously, some malware add autorun.inf files to the root and all logical drives.

Examples of malware using these techniques:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-120115-5706-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS%5FRESULOWS%2EA&VSect=P
http://www.symantec.com/security_response/writeup.jsp?docid=2006-120611-3305-99&tabid=1
http://www.symantec.com/security_response/writeup.jsp?docid=2006-111510-2654-99&tabid=2
http://de.trendmicro-europe.com/smb/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=WORM_SIWEOL.A

Sometimes (the Virus.Win32.Small.k aka W32/Autom-A Worm (http://www.sophos.com/security/analyses/w32automa.html) is a case in point), "MountPoints" subkeys are compromised:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints (Win 9x, Windows 2000)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 (Windows XP)

Example from an infected registry:

HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\AutoRun\command]
@="C:\\"

[HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\explore\Command]
@="WScript.exe .\\autorun.vbs"

[HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\open\Command]
@="WScript.exe .\\autorun.vbs"


Here, an infector file (Autorun.vbs) is placed in the root of Drive C, and this file gets executed whenever the user either double-clicks on Drive C, or right-clicks the drive and chooses 'Explore'
With that sort of thing out there I wouldn't take a chance of connecting any infected machine to a network. And to clean it up you need to have flash drives inserted during a scan--not in your pocket or on a key chain. There are some tools out there to fix those, but...

Thank you. I currently have a software-based administrative problem and wouldn't want to add Smitfraud to this long list of problems.

I want to reformat so badly but couldn't since I constantly need this laptop

Good point about autorun. I NEVER select the XP option for autorun on any device. I don't want some other application executing when I didn't ask it to do so.

-Kev

This is a log of Hijackthis. Please judge whether or not this can spread throughout the network.

Logfile of HijackThis v1.99.1
Scan saved at 10:40:45 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\Watcher.exe
C:\Program Files\FlashGet\flashget.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\apqtupjb.dll",realset
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AirCardEnabler] "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ScottsPaperManager] "C:\Program Files\SBPaper\paper.exe" -autominimize
O4 - HKCU\..\Run: [Softany Monitor Control] C:\Program Files\Softany\Monitor Control\MonitorControl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

That log is almost clean, but I can tell you do have a Vundo infection because no O2 or O20 notify entires are present. This is common for Vundo to filter the HJT ouput to prevent detection.

Rename HijackThis to something else--let's say MyHJT.exe. Then scan again and post another log, please.

I would actually prefer seeing the DSS logs that I posted a link to earlier. It gives much more information, but also includes a HijackThis log that has been renamed if necessary. HJT doesn't see things like rootkits and some other new techniques that hide malware. DSS will show hidden driver services that are commonly reinstalling the malware that you can find and remove with HJT. If you really want to see what may well spread to other systems, that is a better tool to run.

Here's the DSS output. Please judge.



Deckard's System Scanner v20070603.47
Run by IBM User on 2007-06-11 at 09:37:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-06-11 09:37:38
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\IBMTOOLS\utils\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\SBPaper\paper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\Watcher.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\FlashGet\flashget.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\IBM User\My Documents\Quarantine Area\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\Jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {66020456-CB22-487F-AC2C-09F6417C55B3} - C:\WINDOWS\system32\vtuspol.dll
O2 - BHO: (no name) - {73151746-2C7C-4D19-829D-01DC0367B1FE} - C:\WINDOWS\system32\awtsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {CF95730C-7A62-4C2D-BDF2-3E77798DB60f} - C:\WINDOWS\system32\bxlmbbox.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\qtdqeckv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AirCardEnabler] "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe"
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\gtfkxpei.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ScottsPaperManager] "C:\Program Files\SBPaper\paper.exe" -autominimize
O4 - HKCU\..\Run: [Softany Monitor Control] C:\Program Files\Softany\Monitor Control\MonitorControl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - AutorunsDisabled - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra 'Tools' menuitem: (no name) - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O11 - Options Group: [JAVA_IBM] Java (IBM)
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll
O20 - Winlogon Notify: psfus - C:\Program Files\IBM fingerprint software\psfus.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\system32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\system32\tphklock.dll
O20 - Winlogon Notify: vtuspol - C:\WINDOWS\system32\vtuspol.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - "C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe"
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe -r
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\system32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - "C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe"
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\system32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSvc.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - "C:\Program Files\Common Files\Virtual Token\vtserver.exe"


-- Files created between 2007-05-11 and 2007-06-11 -----------------------------

2007-06-11 07:26:35 0 dr-h----- C:\Documents and Settings\IBM User\Recent
2007-06-10 21:56:18 0 d-------- C:\USB
2007-06-10 12:56:07 76412 --a------ C:\WINDOWS\system32\gwbyqkrn.dll
2007-06-10 12:55:50 2580 --a------ C:\WINDOWS\system32\uepxbcqw.exe
2007-06-10 12:54:38 131124 --a------ C:\WINDOWS\system32\gtfkxpei.dll
2007-06-10 12:52:29 58420 --a------ C:\WINDOWS\system32\qtdqeckv.dll
2007-06-10 12:32:40 0 d-------- C:\logs
2007-06-08 17:04:57 0 d-------- C:\bde2
2007-06-08 16:21:31 0 d-------- C:\swpos
2007-06-05 09:17:29 0 d-------- C:\HP 3740
2007-06-03 20:44:06 0 d-------- C:\Documents and Settings\IBM User\Application Data\Realtime Soft
2007-06-03 18:45:05 0 d-------- C:\Program Files\Softany
2007-06-02 22:01:50 17 --a------ C:\WINDOWS\system32\'
2007-06-02 22:01:11 5760 --a------ C:\WINDOWS\system32\vnchelp.dll <Not Verified; RDV Soft; UltraVnc Kernel>
2007-06-02 22:01:09 0 d-------- C:\Program Files\UltraVNC
2007-06-02 15:24:25 76412 --a------ C:\WINDOWS\system32\guuvuonk.dll
2007-06-02 11:44:28 0 d-------- C:\Program Files\Microsoft Virtual PC
2007-06-01 22:29:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-05-31 09:07:23 0 d-------- C:\Documents and Settings\NetworkService\Application Data\VMware
2007-05-31 07:55:56 0 d-------- C:\WINDOWS\IIS Temporary Compressed Files
2007-05-31 07:54:07 0 d-------- C:\WINDOWS\system32\Cache
2007-05-31 07:50:36 0 d-------- C:\WINDOWS\system32\Logfiles
2007-05-31 07:50:36 0 d-------- C:\Inetpub
2007-05-27 10:16:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-05-27 08:24:02 0 d-------- C:\Documents and Settings\IBM User\Application Data\Sierra Wireless
2007-05-27 08:22:09 0 d-------- C:\Program Files\Sierra Wireless Inc
2007-05-11 08:12:12 0 d-------- C:\Program Files\Common Files\Stardock
2007-05-11 08:10:59 0 d-------- C:\Program Files\Stardock


-- Find3M Report ---------------------------------------------------------------

2007-06-11 09:32:42 0 d-------- C:\Program Files\FlashGet
2007-06-10 12:50:24 903715 ---hs---- C:\WINDOWS\system32\rstwa.bak2
2007-06-08 16:56:56 0 d-------- C:\Program Files\DOSBox-0.65
2007-05-31 09:44:50 0 d-------- C:\Documents and Settings\IBM User\Application Data\VMware
2007-05-27 17:54:12 0 d-------- C:\Program Files\Colorful Movie Editor Trial
2007-05-27 08:22:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-26 09:31:30 0 d-------- C:\Program Files\Startup-Spy XP 2006
2007-05-26 08:38:15 0 d-------- C:\Program Files\SpywareBlaster
2007-05-10 08:26:56 0 d-------- C:\Program Files\XP-AntiSpy3
2007-05-10 08:26:56 0 d-------- C:\Documents and Settings\IBM User\Application Data\uTorrent
2007-05-09 08:27:27 1080 --a------ C:\WINDOWS\AUTOLNCH.REG
2007-05-07 10:03:39 0 d-------- C:\Program Files\Canon
2007-05-06 09:39:11 132660 --a------ C:\WINDOWS\system32\apqtupjb.dll
2007-05-06 09:38:39 49204 --a------ C:\WINDOWS\system32\ivwvehnn.dll
2007-05-02 23:55:12 0 d-------- C:\Documents and Settings\IBM User\Application Data\Adobe
2007-05-01 08:36:30 0 d-------- C:\Program Files\Lavasoft
2007-04-30 13:07:33 0 d-------- C:\Program Files\SATO
2007-04-30 09:41:08 26678 --a------ C:\WINDOWS\system32\mljifca.dll
2007-04-24 09:17:22 131604 --a------ C:\WINDOWS\system32\bxlmbbox.dll
2007-04-24 09:16:36 123972 --a------ C:\WINDOWS\system32\gflmewod.dll
2007-04-24 09:15:24 49204 --a------ C:\WINDOWS\system32\ncnlrnoj.dll
2007-04-24 09:15:13 498127 ---hs---- C:\WINDOWS\system32\rstwa.bak1
2007-04-24 09:14:43 281172 -----n--- C:\WINDOWS\system32\awtsr.dll
2007-04-23 10:07:03 0 d-------- C:\Program Files\Common Files\Nokia
2007-04-23 10:07:01 0 d-------- C:\Program Files\Common Files\PCSuite
2007-04-22 10:18:56 268343 --a------ C:\WINDOWS\system32\pmnlk.dll
2007-04-22 10:12:28 26678 --a------ C:\WINDOWS\system32\vtuspol.dll
2007-04-21 13:30:29 0 d-------- C:\Documents and Settings\IBM User\Application Data\dvdcss
2007-04-20 07:12:51 0 d-------- C:\Program Files\mIRC
2007-04-14 09:13:12 0 d-------- C:\Program Files\Rapget
2007-04-08 13:43:47 98304 --a------ C:\WINDOWS\system32CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-03-18 08:43:31 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} C:\PROGRA~1\FlashGet\jccatch.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{66020456-CB22-487F-AC2C-09F6417C55B3} C:\WINDOWS\system32\vtuspol.dll
{73151746-2C7C-4D19-829D-01DC0367B1FE} C:\WINDOWS\system32\awtsr.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
{CF95730C-7A62-4C2D-BDF2-3E77798DB60f} C:\WINDOWS\system32\bxlmbbox.dll
{E12BFF69-38A7-406e-A8EF-2738107A7831} C:\WINDOWS\system32\qtdqeckv.dll
{F156768E-81EF-470C-9057-481BA8380DBA} C:\PROGRA~1\FlashGet\getflash.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TpShocks"="TpShocks.exe"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"ControlCenter"="\"C:\\Program Files\\IBM fingerprint software\\ctlcntr.exe\" /startup"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"IBMPRC"="C:\\IBMTOOLS\\UTILS\\ibmprc.exe"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"PWRMGRTR"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"QCTray"="C:\\PROGRA~1\\ThinkPad\\CONNEC~1\\QCTray.exe"
"TP4EX"="tp4ex.exe"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
@=""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"AirCardEnabler"="\"C:\\Program Files\\Sierra Wireless Inc\\Network Adapter Manager\\Network Adapter Manager.exe\""
"RegistryMechanic"=""
"ApachInc"="rundll32.exe \"C:\\WINDOWS\\system32\\gtfkxpei.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ScottsPaperManager"="\"C:\\Program Files\\SBPaper\\paper.exe\" -autominimize"
"Softany Monitor Control"="C:\\Program Files\\Softany\\Monitor Control\\MonitorControl.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=hex:01,00,00,00
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoRecentDocsHistory"=hex:01,00,00,00
"NoSMMyDocs"=hex:01,00,00,00
"NoSMMyPictures"=hex:01,00,00,00
"NoNetworkConnections"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{66020456-CB22-487F-AC2C-09F6417C55B3}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuspol

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0pwdmon\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChikkaDefault]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ChikkaLauncher"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\CHIKKA~1\\ChikkaLauncher.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ibmmessages"
"hkey"="HKCU"
"command"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=dword:00000002
"WebClient"=dword:00000002
"upnphost"=dword:00000003
"TermService"=dword:00000003
"LmHosts"=dword:00000002
"SSDPSRV"=dword:00000003
"RemoteRegistry"=dword:00000002
"RDSessMgr"=dword:00000003
"mnmsrvc"=dword:00000003
"ERSvc"=dword:00000002
"TrkWks"=dword:00000002
"AVGEMS"=dword:00000002
"Avg7UpdSvc"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##X0#g]
Shell\AutoRun\command T:\autoplay.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4421c085-8511-11db-8874-d6d7e5b1a096}]
Shell\Auto\command RavMonE.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e


-- End of Deckard's System Scanner: finished at 2007-06-11 at 09:40:02 ---------

OK, it looks like a straightforward Vundo infection.

I still need to do further research on whether or not there is anything more serious that could spread there but am missing some information that is usually there in the DSS logs. Did you edit the main.txt file? There is usually a section listing nonMicrosoft drivers and services which is the main thing I wanted to check. But it may not be there because there is evidence you have disabled some services via msconfig. Can you please confirm if you did that?

Also you didn't post the extra.txt file. There is a lot of information there that could be critical to analyses, including some specs and mostly I would like to see the list of uninstall strings. If you feel that it is too much information to be posted in public you can send it to me via PM. Otherwise, please post that log also.

We can go ahead and get started on cleaning up Vundo. Be advised that all elements may not get cleaned in one shot, so it is important to post followup logs to verify what was successful and what else may need to be done and to follow these instructions exactly and in order given.

First you need to rename HijackThis as I asked you to earlier.

Scan again with HijackThis and put a checkmark next to the following entries:

O2 - BHO: (no name) - {66020456-CB22-487F-AC2C-09F6417C55B3} - C:\WINDOWS\system32\vtuspol.dll
O2 - BHO: (no name) - {73151746-2C7C-4D19-829D-01DC0367B1FE} - C:\WINDOWS\system32\awtsr.dll
O2 - BHO: (no name) - {CF95730C-7A62-4C2D-BDF2-3E77798DB60f} - C:\WINDOWS\system32\bxlmbbox.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\qtdqeckv.dll
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\gtfkxpei.dll",realset
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll
O20 - Winlogon Notify: vtuspol - C:\WINDOWS\system32\vtuspol.dll

Close all other windows--you should only see HijackThis on your Desktop and Taskbar--and then click the "Fix checked" button.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop. Note that it must be run from the desktop and if you have downloaded it earlier, download it again to be sure to get the latest version.

Doubleclick ComboFix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done.

Post this log in your next reply.

One last thing--your Java is out of date. Vundo exploits vulnerabilities in earlier versions and Sun leaves those versions intact even after updating and allows them to be called on request. So it is very important to remove every older version and run only the one that is most up to date.

Updating Java:
Go to Start > Control Panel double-click on the Software icon > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have this icon next to it: http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Select it and click Remove.
Then Download and install the newest version from here: http://www.java.com/en/download/manual.jsp (http://www.java.com/en/download/manual.jsp)


Then scan again with HijackThis and post a new log please.

So in your next reply, along with any info left out of the DSS log, please post the logs from the following:

VundoFix
ComboFix
HijackThis