My computer got infected by some virus/trojan yesterday. I had ran anti-virus problem and Ad-Aware to scan the computer, but neither of them can find out the source of virus/trojan.
According to my observation:
- The virus/trojan will be activated whenever I double-click 'C Drive' or 'E Drive' in my computers.
- Sometimes, a small application called 'update1.exe' would be pop up after I double-click as above.
- They would also be activated when I use the Internet Explorer.
- They install some additional component to my Internet Explorer.
- There would be some pop-up advs from Internet Explorer as well.
- The window XP would keep asking me to install an update, but after successful completion of installation, it will pop-up again very soon.
- The 'show hidden file' function is disabled. I tried to switch to 'view hidden files' many times, but it would be automatically switch back to 'hidden mode', so I was unable to locate the source of infection.
xxxxxxxxxx
The history of my anti-virus program is copied below for your information. (Please note that I am using the Chinese window, so I have translated part of the report for your easier reference.)
Risk,Action,File name,Date,Location
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-14 12:32,C:\WINDOWS\
Hacktool.Rootkit,Quarantined,c0mz.sys,2006-11-14 12:31,C:\DOCUME~1\ssb\LOCALS~1\Temp\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-14 11:41,C:\WINDOWS\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-14 10:45,C:\WINDOWS\
Trojan Horse,Quarantined,ipconfig.vbs,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,No action,NTWorkStan[1].txt,2006-11-13 20:04,C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLMZ41QT\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,No action,NTWorkStan[2].txt,2006-11-13 20:04,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan[1].txt,2006-11-13 20:04,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1XC8Q4HM\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,No action,NTWorkStan[1].txt,2006-11-13 20:04,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H7PR7151\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,No action,NTWorkStan[1].txt,2006-11-13 20:04,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,No action,NTWorkStan[1].txt,2006-11-13 20:04,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\87VSPI9T\
Downloader,Deleted,NTWorkStan.dll,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 20:04,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 20:04,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 20:04,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1XC8Q4HM\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 20:03,C:\windows\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 20:03,C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLMZ41QT\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:39,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:38,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\87VSPI9T\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:37,C:\windows\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:36,C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W1KXYLWB\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:35,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:34,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H7PR7151\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:33,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:32,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:31,C:\windows\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:29,C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLMZ41QT\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:28,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1XC8Q4HM\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:26,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:24,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\87VSPI9T\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:23,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:23,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H7PR7151\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:22,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[2].txt,2006-11-13 19:22,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H7PR7151\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:22,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:21,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\87VSPI9T\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:21,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:21,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:20,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[2].txt,2006-11-13 19:20,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:19,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:19,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H7PR7151\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:19,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[2].txt,2006-11-13 19:18,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:17,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:15,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\87VSPI9T\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:12,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[2].txt,2006-11-13 19:09,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:08,C:\WINDOWS\system32\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:06,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H7PR7151\
Downloader,Deleted,NTWORK~1.DLL,2006-11-13 19:05,C:\WINDOWS\system32\
Adware.PigSearch,Need restart - Quarantined,deskipn.dll.zgx,2006-11-13 19:04,C:\Program Files\DeskAdTop\
Downloader,Part,NTWorkStan[1].txt,2006-11-13 19:02,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Hacktool.Rootkit,Quarantined,lw6yqkc.sys,2006-11-13 19:01,C:\WINDOWS\TEMP\
Trojan.Linkmediac,Deleted,SDMAGE~1.DLL,2006-11-13 19:00,C:\PROGRA~1\LINKME~1\
Trojan.Linkmediac,Deleted,NWSAPA~1.DLL,2006-11-13 18:59,C:\PROGRA~1\LINKME~1\
Trojan.Linkmediac,Deleted,ACSs.dll,2006-11-13 18:59,C:\PROGRA~1\LINKME~1\
Trojan.Linkmediac,Deleted,SDMAGE~1.DLL,2006-11-13 18:58,C:\WINDOWS\system32\
Trojan.Linkmediac,Deleted,NWSAPA~1.DLL,2006-11-13 18:54,C:\WINDOWS\system32\
Trojan.Linkmediac,Deleted,ACSs.dll,2006-11-13 18:51,C:\WINDOWS\system32\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-13 18:49,C:\WINDOWS\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-13 18:44,C:\WINDOWS\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-13 15:59,C:\WINDOWS\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-13 15:39,C:\WINDOWS\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-13 15:38,C:\WINDOWS\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-13 15:37,C:\WINDOWS\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-13 15:36,C:\WINDOWS\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-13 14:12,C:\WINDOWS\
Infostealer.Lemir,Deleted,136741M.BMP,2006-11-13 12:08,C:\WINDOWS\
Infostealer.Gampass,Clear,rundll32.exe,2006-11-13 11:52,c:\WINDOWS\Intel\
Infostealer.Gampass,Quarantined,002[1].com,2006-11-13 11:50,C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M4PEN401\
Infostealer.Lineage,Need restart - Quarantined,ztdll.dll,2006-11-13 11:02,c:\WINDOWS\system32\
Infostealer.Gampass,Terminate process,rundll32.exe,2006-11-13 10:59,c:\WINDOWS\Intel\
Infostealer.Lineage,Part,ztdll.dll,2006-11-13 10:59,c:\WINDOWS\system32\
Adware.PigSearch,Need restart - Quarantined,Run.dll,2006-11-13 10:07,C:\Program Files\DeskAdTop\
Infostealer,Clear,??????,2006-11-13 10:02,??????
Infostealer.Lemir,Clear,??????,2006-11-13 10:02,??????
Adware.PigSearch,Undecided,deskipn.dll.zgx,2006-11-13 9:52,C:\Program Files\DeskAdTop\
xxxxxxxxxx
The hijackthis log file is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 15:08:51, on 2006-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\conime.exe
C:\DOCUME~1\ssb\LOCALS~1\Temp\mccrar.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush0.dll
O2 - BHO: CNNIC 网络工具Drag - {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - (no file)
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E5A7A15F-213F-4FCF-8DE7-D388F9FB09EB} - C:\WINDOWS\system32\cnwin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\SYMANT~2\\vptray.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Update] C:\WINDOWS\system32\Update.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealUpdate] C:\WINDOWS\system32\real.exe
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 更新 ThinkPad 软件 - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [CDNCLIENT] 中文上网
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/cn/zh/
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS 核心服务 (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - c:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
xxxxxxxxxx
It caused much nuisance to me. Please help me to solve the above problem.
Thanks!
Matthew
Full Version: Unable to clean virus/trojan
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hello friends.
My computer is infected with Infostealer.gampass virus. I run Norton, but was unable to clean virus/trojan. Appear message c:\windows\system32\ztdll.dll file is infected. Futhermore, my computer work very, very slow.
Next show hijackthis log-file:
Logfile of HijackThis v1.99.1
Scan saved at 19:03:25, on 26/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\dvd43\dvd43_tray.exe
C:\WINDOWS\vsnpstd2.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\ARCHIV~1\ARCHIV~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\ARCHIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\Intel\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\MSNMES~1\msnmsgr.exe
C:\Archivos de programa\Ares\Ares.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\ARCHIV~1\Navnt\navapsvc.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Archivos de programa\Navnt\navapw32.exe
C:\ARCHIV~1\ARCHIV~1\PCSuite\Services\SERVIC~1.EXE
C:\ARCHIV~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Documents and Settings\Klau_Poster_Girl\Escritorio\HijackThis.exe
C:\ARCHIV~1\Navnt\alertsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fotolog.com/klau_poster_girl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NPS Event Checker] C:\ARCHIV~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\ARCHIV~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [dvd43] C:\Archivos de programa\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Archivos de programa\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=112906 serial=dr12wex-1504397-kty lang=ES
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [DataLayer] C:\ARCHIV~1\ARCHIV~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\ARCHIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SoundMam] C:\WINDOWS\system32\SVOHOST.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\ARCHIV~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Archivos de programa\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Archivos de programa\Navnt\navapw32.exe
O4 - Global Startup: Puerto Symantec Fax Starter Edition.lnk = C:\Archivos de programa\Microsoft Office\Office\3082\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E905BC2B-A695-4BC6-9044-05C8F169DD3F}: NameServer = 200.72.1.11,200.72.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\ARCHIV~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\ARCHIV~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\ARCHIV~1\Navnt\npssvc.exe
I need help please....
My computer is infected with Infostealer.gampass virus. I run Norton, but was unable to clean virus/trojan. Appear message c:\windows\system32\ztdll.dll file is infected. Futhermore, my computer work very, very slow.
Next show hijackthis log-file:
Logfile of HijackThis v1.99.1
Scan saved at 19:03:25, on 26/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\dvd43\dvd43_tray.exe
C:\WINDOWS\vsnpstd2.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\ARCHIV~1\ARCHIV~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\ARCHIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\Intel\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\MSNMES~1\msnmsgr.exe
C:\Archivos de programa\Ares\Ares.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\ARCHIV~1\Navnt\navapsvc.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Archivos de programa\Navnt\navapw32.exe
C:\ARCHIV~1\ARCHIV~1\PCSuite\Services\SERVIC~1.EXE
C:\ARCHIV~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Documents and Settings\Klau_Poster_Girl\Escritorio\HijackThis.exe
C:\ARCHIV~1\Navnt\alertsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fotolog.com/klau_poster_girl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NPS Event Checker] C:\ARCHIV~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\ARCHIV~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [dvd43] C:\Archivos de programa\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Archivos de programa\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Archivos de programa\Corel\Corel Graphics 12\Languages\ES\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=112906 serial=dr12wex-1504397-kty lang=ES
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [DataLayer] C:\ARCHIV~1\ARCHIV~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\ARCHIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SoundMam] C:\WINDOWS\system32\SVOHOST.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\ARCHIV~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Archivos de programa\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Archivos de programa\Navnt\navapw32.exe
O4 - Global Startup: Puerto Symantec Fax Starter Edition.lnk = C:\Archivos de programa\Microsoft Office\Office\3082\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E905BC2B-A695-4BC6-9044-05C8F169DD3F}: NameServer = 200.72.1.11,200.72.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\ARCHIV~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\ARCHIV~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\ARCHIV~1\Navnt\npssvc.exe
I need help please....
Hello,pandrojas & Welcome
Please have a look at the quote box at the bottom of this page
goto the links there do as is asked, then come back here with a new HijackThis logfile.
Gogo
Please have a look at the quote box at the bottom of this page
goto the links there do as is asked, then come back here with a new HijackThis logfile.
Gogo
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.