Tech Support Team

Patient Kain · #1 (**permalink**) **Top** 22nd June 2009, 11:41 PM

Hello,

I think I have a virus, or two. The "perflib_perfdata" and "WFV1.tmp" files won't delete from the windows temp file.

I ran the ATFcleaner, Smitfraudfix, FindAWF, and HJT(Crusty.exe) and the two files are still in there, I think they are my problem.

My computer randomly started just running slower and shutting down my music on wmp and AIM if I opened either, sometimes it didn't even open them.

I'll post the AWF and HJT like the malware tutorial said to now:

AWF

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 06/22/2009
The current time is: 19:27:09.17

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24:15, on 6/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrB kGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBa ttLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\pgaegler\nah_uqno.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.su.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = su.edu
O17 - HKLM\Software\..\Telephony: DomainName = su.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = su.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = su.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: SSIRuntimeService - Unknown owner - C:\Program Files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe (file missing)
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe

--
End of file - 9543 bytes

Thankyou for the help in advance

Albert Lionheart · #2 (**permalink**) **Top** 23rd June 2009, 04:17 PM

The perfib data files are usually locked and will not delete so unlikely to be anything nasty.
Your best bet is to boot into safe mode and remove them from there - tap repeatedly at the F8 key during boot and select the safe mode option from the list that will appear - if you go into windows you missed it!
The wfv1 file can be cleared the same way.
Keep us posted!

Albert Lionheart · #3 (**permalink**) **Top** 23rd June 2009, 04:25 PM

Have now had a chance to look at the HJT Log and you need to remove the following

O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html#
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = su.edu and the next 4 entries all referriing to su.edu unless you know what su.edu is and are happy with it.
Thats all!

Patient Kain · #4 (**permalink**) **Top** 23rd June 2009, 04:43 PM

Oh cool, thanks

I logged in with safe mode with networking, is that about the same? And deleted the entire windows temp folder(those reappear when new temp things need to be saved right?) because oddly the two files(perf and wfv1) weren't there, so I emptied it, then decided to just delete the whole folder just to be safe in case they were hidden in safe mode?

Can I get rid of those other files in safemode networking too? su.edu is my school's(shenandoah university) site, and that's why I logged in with networking, because it won't let me log in regular as my account I think is set up through their network? Does that make sence? It's how I understand it anyways lol.

Thanks for your help

Blackmirror · #5 (**permalink**) **Top** 23rd June 2009, 04:44 PM

Did you follow the guide ?
Malware Removal Guide - Read Before Posting

Patient Kain · #6 (**permalink**) **Top** 23rd June 2009, 04:50 PM

Yessir, followed the guide after posting the thread. It got rid of a few like registry things, maybe two.

I had read from this site through google, someone else had the perflib and wfv1 files "deleted at reboot" when they weren't their main problem. And the person helping them asked if they read the guide, so I went to the main page and found "tutorials" thinking it was the same thing. And "whataboutdog/whataboutrabbit" or something, seemed to be about malware and malware removal so I followe that and posted the thread.

But the thread didn't show up and I found the guide shortly after that and followed that too.

Need like a log or anything from those? They might show as clean as they could be because I already ran them yesterday

(btw is my post supposed to not show up til a mod displays it or should I have made a checkbox somewhere so you can read it as I post it back to you?)

Albert Lionheart · #7 (**permalink**) **Top** 23rd June 2009, 04:57 PM

Guides are for those who are lost, woman! Joke for crissake, that was a joke!

Patient Kain · #8 (**permalink**) **Top** 23rd June 2009, 05:33 PM

So far there is definitely a noticable difference thankyou for that

My test for if iI still have it has been to google search for "ham" lol. It was taking about 12 seconds to load the results before and saying it only took about .17 seconds to give them to me, but now it only takes at most 6 seconds, maybe even the actual .17 sometimes

Patient Kain · #9 (**permalink**) **Top** 23rd June 2009, 07:38 PM

Hello,

I got rid of the 08 AIM one, but not the su.edu. And I couldn't find the 04 svchost in the list?

Does it mean anything that I have two "rundll32.exe" running in my task manager?

tks,
PK

Oh, and If I get rid of the su.edu, but it turns out I need or use them, would they re-do themselves onto my computer perchance or would I be in a tight spot for deleting them?

Just checking before I do so, Thanks again

Blackmirror · #10 (**permalink**) **Top** 23rd June 2009, 07:48 PM

I would wait for Evil Fantasy our Malware expert before you start deleting anything please

Patient Kain · #11 (**permalink**) **Top** 23rd June 2009, 07:50 PM

The WINDOWS Temp folder hasn't replaced itself yet, so I'm not sure if the wfv1 and perflib are gone or not, or if I've done something wrong by deleting it

lol

Should I be continuously running any specific program over and over to be checking for anything or am I possibly safe now?

Also thanks for removing the need for a mod to double check my posts before they appeared

PK

Patient Kain · #12 (**permalink**) **Top** 23rd June 2009, 07:52 PM

Oh okidoke, thanks. Sorry

Know when they might be around?

Blackmirror · #13 (**permalink**) **Top** 23rd June 2009, 07:58 PM

I have sent a pm
Please dont start deleting things willy nilly

Patient Kain · #14 (**permalink**) **Top** 23rd June 2009, 08:20 PM

Haha sorry

Thankyou

**evilfantasy** · #15 (**permalink**) **Top** 23rd June 2009, 09:01 PM

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Patient Kain · #16 (**permalink**) **Top** 23rd June 2009, 10:23 PM

Thanks vm

Here's the combofix log:

ComboFix 09-06-22.0E - pgaegler 06/23/2009 18:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.453 [GMT -4:00]
Running from: c:\documents and settings\pgaegler\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\recycler\S-1-5-21-1633684125-3985344532-1507693836-500
c:\recycler\S-1-5-21-1633684125-3985344532-1507693836-500\desktop.ini
c:\recycler\S-1-5-21-1633684125-3985344532-1507693836-500\INFO2
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.

2009-06-23 01:23 . 2009-06-23 01:23 -------- d-----w- c:\documents and settings\pgaegler\Application Data\Malwarebytes
2009-06-23 01:23 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 01:23 . 2009-06-23 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 01:23 . 2009-06-23 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 01:23 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 00:00 . 2009-06-23 04:30 117760 ----a-w- c:\documents and settings\pgaegler\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-23 00:00 . 2009-06-23 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-22 23:59 . 2009-06-22 23:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-22 23:59 . 2009-06-22 23:59 -------- d-----w- c:\documents and settings\pgaegler\Application Data\SUPERAntiSpyware.com
2009-06-22 23:46 . 2009-06-22 23:46 -------- d-----w- c:\program files\CCleaner
2009-06-22 23:20 . 2009-06-22 23:20 -------- d-----w- c:\program files\Trend Micro
2009-06-16 00:24 . 2009-06-16 00:24 69232 ----a-w- c:\documents and settings\pgaegler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-15 21:46 . 2009-06-15 21:46 -------- d-----w- c:\documents and settings\pgaegler\Application Data\acccore
2009-06-15 21:46 . 2009-06-15 21:46 -------- d-----w- c:\documents and settings\pgaegler\Local Settings\Application Data\AOL OCP
2009-06-15 21:46 . 2009-06-15 21:46 -------- d-----w- c:\documents and settings\pgaegler\Local Settings\Application Data\AOL
2009-06-15 02:52 . 2009-06-22 23:59 -------- d-sh--w- c:\windows\Installer
2009-06-15 02:51 . 2009-06-15 02:52 -------- d-----w- c:\program files\AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-22 23:58 . 2007-07-25 17:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-16 01:35 . 2007-07-25 06:37 -------- d-----w- c:\program files\PCDR5
2009-06-16 00:38 . 2007-07-25 06:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 00:35 . 2007-07-25 06:35 -------- d-----w- c:\program files\Multimedia Center for Think Offerings
2009-06-16 00:34 . 2007-07-25 06:35 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-06-15 02:52 . 2009-02-25 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-12 03:08 . 2009-03-25 20:42 34 ----a-w- c:\documents and settings\pgaegler\jagex_runescape_preferences.dat
2009-06-12 01:12 . 2007-07-25 06:33 -------- d-----w- c:\program files\Java
2009-06-12 01:10 . 2009-06-12 01:10 152576 ----a-w- c:\documents and settings\pgaegler\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-12 01:01 . 2009-06-12 01:01 422 ----a-w- c:\documents and settings\pgaegler\Application Data\Apple Computer\socks1.exe
2009-06-12 01:01 . 2009-06-12 01:01 16141 ----a-w- c:\documents and settings\pgaegler\Application Data\InstallShield\lego.exe
2009-06-12 01:01 . 2009-06-12 01:01 145131 ----a-w- c:\documents and settings\pgaegler\Application Data\Identities\nomad.exe
2009-06-12 01:01 . 2009-06-12 01:01 13221 ----a-w- c:\documents and settings\pgaegler\Application Data\Adobe\rengo.dll
2009-06-12 01:01 . 2009-06-12 01:01 10121 ----a-w- c:\documents and settings\pgaegler\Application Data\Lavasoft\kern.dll
2009-06-12 00:35 . 2009-02-26 20:43 -------- d-----w- c:\documents and settings\pgaegler\Application Data\U3
2009-05-21 15:33 . 2009-02-25 22:53 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-17 02:15 . 2009-04-17 02:15 152576 ----a-w- c:\documents and settings\pgaegler\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR .DLL" [2006-12-19 159744]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL " [2006-12-19 208896]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-03-28 58416]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp .Exe" [2007-03-07 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-28 925696]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-01-31 2618944]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-09 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-09 155648]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2007-08-09 131072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-03-30 181808]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-08-24 437160]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1482476501-179605362-725345543-35108\Scripts\Logoff\0\0]
"Script"=EducLogOff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1482476501-179605362-725345543-35108\Scripts\Logon\0\0]
"Script"=Educlogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1482476501-179605362-725345543-37604\Scripts\Logoff\0\0]
"Script"=StudentLogOff.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1482476501-179605362-725345543-37604\Scripts\Logon\0\0]
"Script"=StudentLogin.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX 86.sys [3/2/2007 8:49 PM 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsH M86.sys [3/2/2007 8:47 PM 19760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRI F.SYS [7/25/2007 2:25 AM 4442]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/25/2009 5:27 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 3:42 PM 35264]
S2 SSIRuntimeService;SSIRuntimeService;"c:\program files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe" --> c:\program files\Software Secure, Inc\SSIRuntimeService\SSIRuntimeService.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe

.
------- Supplementary Scan -------
.
Trusted Zone: su.edu
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-23 18:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'explorer.exe'(3016)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\windows\system32\WebUpdateSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
.
************************************************** ************************
.
Completion time: 2009-06-23 18:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-23 22:22

Pre-Run: 100,458,917,888 bytes free
Post-Run: 100,433,821,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

213 --- E O F --- 2009-02-25 17:23

**evilfantasy** · #17 (**permalink**) **Top** 23rd June 2009, 10:34 PM

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar
Viewpoint Experience Technology

----------

How is the computer running now?

Patient Kain · #18 (**permalink**) **Top** 23rd June 2009, 10:53 PM

Speedy fast thanks Evil

Is there a scan or anything I need to do to make sure of that or do I need to do anything else?

Thankyou all for all the help, this is great

**evilfantasy** · #19 (**permalink**) **Top** 23rd June 2009, 10:56 PM

Yes we should do another scan to be sure we didn't miss anything.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Important: Restart the computer before continuing.

----------

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 and 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

If needed, this animation will guide you through the process.

Patient Kain · #20 (**permalink**) **Top** 23rd June 2009, 11:18 PM

Hiya,

I did the uninstall and the atf scan, but how does the kaspersky work, do I click the big picture with the magnifying glass that says scan now? Because I click that and nothing seems to happen, the comp just sits here. Is there somewhere else I am supposed to be clicking for it?

thanks in advance

Oh could it be because I am on firefox? duh lol, I'll try ie one minute, sorry lol I'm dumb

Here we go it works, sorry lol

"Starting java applet has failed! Please go online to use this program." ? That's the error messege it gives me when it tries to install after i clicked accept? What should I do?

A google search of "java applet ie7" says with the first five or more that there is a conflict somehow with that, so I'm downloading ie8. Is that alright or would you recommend against it?
It gives me a little alert bubble that says something like "This thing needs an applet that is disabled" so I clicked on that to enable what needed to be enabled, which I thought would be java, but that's enabled already...