potential virus / pop ups?

[allen]

i've had my thinkpad since dec 2006, which is 2 yrs and change, and just recently seem to have a virus or something causing popups in a new firefox window, anytime this has happened in the past i can get to the source, but this time i don't have any clue how to get rid of it, or what's causing it.

i'm running
eset nod32 antivirus 3.0650 definitions up to date.
ff3, popup blocker is still on
startup monitor and startup control panel by mlin.net
ccleaner latest version
registry mechanic 7.0.0.1010

one of the only things i can think i recently did was add google gears and started using offline gmail beta.
i've tried running ff3 in safe mode with all add-ons disabled, no help.

how does one start looking for the source of a popup initiator?

[Marin85]

Just a few points:
1. Take a look what is going on on windows stratup (run -> msconfig -> startup), you may find things that you can´t identify and hence suspicious.
2. Download Spybot S&D and Malwarebytes Anti-Malware and run them.
3. Download Process Explorer from sysinternals and look for processes in violet. They may indicate presence of malware (but not necessarily).
4. Download HijackThis from Trendmicro and examine the scan log.
5. Clean all internet temp files, sessions etc (in FF3 just ctrl + shift + del) (note you will be prompted what to clean, so choose wise).

This is not step-by-step guide, rather an overview of different techniques If you have any questions, post back (or also if you´d like to ask about the HijackThis log).

Hope this helps

Marin

[RealBlackStuff]

It's probably caused by you having an old version of Eset NOD32. The current one is 3.0.672.0
Download the latest version, disconnect from the web.
UNinstall the old NOD32, and keep your settings. Install the new version. Run Update.

Also, in the last few days Google had a major hiccup, which should be solved by now, but may have helped causing this.

Otherwise the rest of Marin85's advice is sound.

[allen]

thanks, i'll try some of this stuff out,

wouldn't the version of eset nod32 not matter if my definitions were up to date?

[Marin85]

wouldn't the version of eset nod32 not matter if my definitions were up to date?

Well, 1. ESET is an AntiVirus and 2. if the version doesn´t matter, there would have been no version updates In other words, it´s not only the definitions, but also the AV engine that counts. Part of the malware out there is designed to get around the most popular AV engines.

Marin

[allen]

ok, according to spybot s&d, i have virtumonde and smitfraud viruses, and i can't get rid of them!
i've googled solutions. and followed virtumonde.net and smitfraud.net
i've tried to smitfraudfix(which eset would not let me download unless i disabled it), in safe mode, in conjunction with spybot s&d and spyware doctor w/ antivirus trial version, which is supposed to, and points out that it prevents viruses from reproducing(saying system event blocked every minute), but it isn't getting rid of them, they still show up on every spybot s&d scan.

i have process explorer and hijack this, and often clear FF3 w/ ctrl shift del.
xoftspyse isn't helping.
i don't want to pay for software for this, will Malwarebytes Anti-Malware even make a difference on this case?

symptoms are strange:
repeatedly changing firefox 3 tab settings to open a new pages in a new window instead of tab.
popups.
getting rid of quicklaunch toolbar on restart.
attempts to add something to the startup, which startup monitor alerts me and i deny.

what can be done!?!?
i've had very few viruses in the 2 yrs and change i've had my thinkpad, and this is the first i'm not able to get rid of

this is my hijack this log, which i can sorta decipher, but not completely:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:46 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
c:\tpfancontrol\fancontrol_service.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide

/waitservice
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1

\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program

Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2

\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program

Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program

Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-

83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program

Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} -

C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-

A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/thinkpad
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-

307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resour ... se9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup ... b_site.cab?

1167371443114
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-

307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {975BA4C8-C5A7-4CFD-9F42-10CF4B75F580} (Actx Control) -

https://expertslive.lenovo.com/home/activex/actx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/f ... wflash.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-

307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -

https://fisa.ra.nyc.gov/dana-cached/set ... tupSP1.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

http://by114fd.bay114.hotmail.msn.com/a ... Atchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1

\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wvowak.dll permcs.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program

Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32

Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32

Antivirus\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common

Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c981dcebdd7b1e) (gupdate1c981dcebdd7b1e) -

Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common

Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program

Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32

\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation -

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation -

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware

Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware

Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity

Solution\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program

files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program

Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TPFanControl - Unknown owner - c:\tpfancontrol\fancontrol_service.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32

\TPHDEXLG.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program

Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10895 bytes

[Marin85]

Could you post a screenshot from Process Explorer. This would make things a little bit easier. If you have another computer, disconnect your ThinkPad from internet for a while. I´ll be able to reply in more details after the screenshot

Thanks,

Marin

EDIT: Please don´t panic!

EDIT2: Reading your log I already have a few ideas

EDIT3: Please next time when you make HijackThis log, exit all opened programs. This will reduce by far the complexity of the log. Thanks

[GomJabbar]

If it was me, I would try running Malwarebytes' Anti-Malware (linked to in an earlier post above). It has developed a very good reputation for removing malware. It is a free download for the scanner and remover tool. The paid version is for real-time scanning.

Also, it can make a difference running these anti-malware scanners from SAFE MODE. When you are booted into Windows normally, malware programs can prevent the scanners from doing their job. When you are booted into SAFE MODE, Windows does not allow many programs and services to load at boot up. Press F8 at the beginning of the boot sequence to get the SAFE MODE boot menu.

[Marin85]

Also, it can make a difference running these anti-malware scanners from SAFE MODE. When you are booted into Windows normally, malware programs can prevent the scanners from doing their job. When you are booted into SAFE MODE, Windows does not allow many programs and services to load at boot up. Press F8 at the beginning of the boot sequence to get the SAFE MODE boot menu.

Good point. Looking at the HijackThis log, the registry looks really messed up (I didn´t count how many times C:\Program appears in the log...). Loading so many services and programs at startup just explains why Spybot can´t get rid of the malware, all this activity just make the malware reproduce itself.

If you are lucky, the malware "cores" will be only in windows and system32 folder. C:\Program is probably only to distract attention...

Marin

[RealBlackStuff]

There's hardly an indication of the infections you mention.

You could start by deleting all the O16 entries, you don't need those.
They won't do any harm though.

The only questionable entry in the whole log is this:
O20 - AppInit_DLLs: wvowak.dll permcs.dll

Both .dll files need to be UNregistered and deleted.
Do this while in SAFE MODE.

Unregistering a file
To unregister a file, type:

regsvr32 -u <filename>.dll

or

regsvr32 -u <path>\<filename>.dll

where <path> is the path to the file, and <filename> is the name of the file.

[allen]

img]http://www.allenying.com/photos/Process ... enshot.jpg[/img]

ok, i thought to do the hijackthis log w/ no software open, but then thought maybe the virus issue wouldn't show up or something, so i did it with my usual stuff open, anyhow, below is the hijackthis log just after malwarebytes scan and restart.

i got a serial# for spyware doctor w/ antivirus, and thought i got rid of it, but i just had a popup.
the malwarebytes may have done it, but now i'm gonna sleep, and check it out in the morning.

i forgot to mention one of the symptoms was waking my laptop up from sleep/standby mode.

are we sure it's ok to get rid of all 016 entries?

and for the unregistering a file instructions, is that in cmd prompt or ?

thanks so much,
i'm super frustrated at the idea that i even got a virus, no luck not being able to get rid of it, i thought for the last 2 years i ran a pretty tight ship on this machine, keeping startups and processes regulated. and i'm thoroughly baffled that mac OSX don't get these things.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:19 AM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\tpfancontrol\fancontrol_service.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C7ACFBF-92E8-47A2-A799-190FC0621761} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/thinkpad
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/acce ... /AcpIR.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se9602.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7371443114
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {975BA4C8-C5A7-4CFD-9F42-10CF4B75F580} (Actx Control) - https://expertslive.lenovo.com/home/activex/actx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-307.ibm.com/pc/support/acce ... ontrol.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://fisa.ra.nyc.gov/dana-cached/set ... tupSP1.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by114fd.bay114.hotmail.msn.com/a ... Atchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wvowak.dll permcs.dll
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O20 - Winlogon Notify: pmnkLDtq - pmnkLDtq.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c981dcebdd7b1e) (gupdate1c981dcebdd7b1e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TPFanControl - Unknown owner - c:\tpfancontrol\fancontrol_service.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11895 bytes

[Marin85]

I guess the previous log was cut off when being pasted. I was wondering where C:\Program folder came from. It turned out to be C:\Program Files... At least, it´s now clear that the registry is not such a mess.

As for the entries O16, I believe it´s safe to unregister them. If I remember correctly, you can unregister them within HijackThis. As for pmnkLDtq.dll I googled that and google doesn´t come up with anything, so this must be a very arbitrary name like the ones most malware create during its presence. You may try to delete this entry as well but I don´t believe it would really solve your problem, it will probably appear again under other name.

Process Explorer doesn´t indicate anything suspicious.

Do you experience the symptoms after having run Malwarebytes?


Marin

[RealBlackStuff]

From your last logfile:
while in HijackThis, you can safely remove the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2C7ACFBF-92E8-47A2-A799-190FC0621761} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: ==>All entries starting with O16<==
O20 - Winlogon Notify: pmnkLDtq - pmnkLDtq.dll (file missing)

For this O20 entry, you need to do the UNregistering from a DOS/cmd prompt.
O20 - AppInit_DLLs: wvowak.dll permcs.dll

[Marin85]

A few points:

1. When googing ColorVisionStartup.lnk I found a few results all suggesting virtumond. While I understand that such an entry mostly appears in HijackThis logs, which are used to fight malware, I think there seems to be a strong correlation between both things (I can´t tell why that would be). (Also, the logs I saw seemed to be from different users, not the same one posting in different forums.) My point is that the ColorVision thing is worth some check (maybe a program that contains serious security vulnerability etc.)

2. If you manage to locate where on the filesystem the malware resides, I would suggest you to run some Linux LiveCD and wipe all related files from there (mainly any self-copies). After this Windows will probably do chkdsk, but that is normal since there were changes made to the file system outside of windows.

[RealBlackStuff]

Marin, be careful!
There's nothing wrong with that ColorVisionStartup.
That the name shows up in other HiJackThis logs is only, because it is a popular calibrating program, NOT a virus!

I have done virus-elimination for about 2 years, and have helped between 2-3,000 (yes thousand) people.

An indication of spyware/virus might be the about:blank.
Either OP did this himself, OR it is caused by the two .dll files in O20.
If he eliminates those .dll files, the problem should be gone.

He could try and run CWShredder http://us.trendmicro.com/us/products/pe ... WShredder/ but I'm not sure if that will do the trick.

[Marin85]

Marin, be careful!
There's nothing wrong with that ColorVisionStartup.
That the name shows up in other HiJackThis logs is only, because it is a popular calibrating program, NOT a virus!

Thanks, I´m aware of this . But I didn´t say that it is a virus. My point was only that I observed strong correlation between its presence in HijackThis logs and virtumond. That doesn´t mean that ColorVision is a virus, but it could mean that it contains some serious security vulnerability that gets exploited by this particular virus. But also this observation could very well mean nothing. It was just an observation...

Cheers

Marin

[Marin85]

Just to sum up, the obscure .dlls seem to be:
pmnkLDtq.dll (note, file missing)
wvowak.dll
permcs.dll

If these were any known .dll-s, google would have come up with some results from dll depots, but that was not the case. The first one is probably missing because it was removed by the initial clean with Spybot and has been probably replicated/renamed (again). The other two could be the same file with two different names.

RBS, are you sure, that a windows shredder application wouldn´t cause the virus to replicate itself? I don´t know about the Trendmicro product, but I was aware of an application (which had an icon of a skull and two bones) applied to remove rootkits. I don´t know how it erased things, but I remember it could theoretically ruin your file system , though it was very effective...

I´m curious as to where all these 2 dlls reside...

Marin

[RealBlackStuff]

Those .dll files are nearly always in \Windows\System32

The CWShredder is to eliminate Cool Web Search infections, which are known to cause about:blank.
It will not harm your installation.

And now onto something entirely different:
This was my 3000th post!

[allen]

ok, i think malwarebytes got it, symptoms have stopped, and they didn't show up on the 2nd malwarebytes full scan after reboot.

but i'd still like to do the hijackthis stuff to be sure.

colorvision i use for monitor calibration
about:blank is what i have as my home page for ff3 and ie7, though i pretty much never use ie.

so i deleted in hijack these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2C7ACFBF-92E8-47A2-A799-190FC0621761} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
All entries starting with O16

O20 - Winlogon Notify: pmnkLDtq - pmnkLDtq.dll (file missing)
either wasn't there again, or i deleted it, i forget already, so much info.

when i use cmd prompt to unregister
O20 - AppInit_DLLs: wvowak.dll permcs.dll
it's not found, even if i put in the path C:\WINDOWS\system32

can i just check the checkbox and hit fix this like i did with the others?

thanks again soooo much

[Marin85]

Glad to hear that your problem got resolved, and I hope it will stay so

Malwarebytes seems to have done a very good job. Actually, I have to admit I´m a little bit surprised (but positively) -> never underestimate other people´s software

Cheers

Marin

PS: Please, next time you post any kind of logs, use the code feature of the forum to avoid cut-outs and misunderstandings, e.g.

Code: Select all

big nasty log -> [code]big nasty log

-> what you see here[/code] Thanks

[RealBlackStuff]

I don't know where those files are, I just indicated the most likely places.

Anyway, the fastest method to find any file on a hard disk is the ATTRIB program:
go to a command prompt, type in: cd \ and hit Enter.
Then type in one of the underneath lines, followed by Enter:
ATTRIB wvowak.dll /S
ATTRIB permcs.dll /S

The /S means to Search in Subfolders as well.

If found, unregister using the full path and then delete.
If not found, malwarebytes got them.
You can now delete the corresponding HiJackThis entry.