ICPP Foundation

Solved/Closed
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010 - Apr 26, 2010 at 02:07 AM
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - May 2, 2010 at 04:38 PM
Hi ,
I was watching a Free streaming live match on the website and suddenly a virus popped up but I deleted after scanning and restarted the system .. But it never allowed me to go to the desktop ... I was able to enter my logon USERNAME and PASSWORD and after that I get a screen mentioning COPYRIGHT piracy and it says ICPP Foundation and it had two options
1. Pass the case to the court
2. Settle by prior settlement ... (By using credit card )

When I clicked on pass the case to the court .. I gave some dummy name and other details .. and gave my email id .. It sent me an ACTIVATION code ...... Can I enter the activation code ??? wht does that mean ???

I was only able to go to the TASK MANAGER but couldnt do much ..
I am using McAfee anti virus but it couldnt protect from the virus
Will I loose my data as I have lot of important data on my laptop

Any help is greatly appreciated.
Awaiting for positive response.
TIA
FYI : https://privacybunker.io/#comment-23
The above website have provided the screenshot which I got the same ... Kindly help me out

Regards,
RT
Related:

17 responses

Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,167
Apr 26, 2010 at 07:23 AM
Hello,

ICPP Foundation is a rogue Trojan Horse, W32/DotTorrent.A

The malware is typically located in c:\documents and settings\USERNAME\application data\IQManager\iqmanager.exe. We've seen two versions so far. MD5 hashes of them are cedc2c35bf967027d609df13e937946c and bca3226cc1cfea416c0bcf488082e5fd.

To send the Trojan Horse to the glue factory:

Please follow the following procedure carefully and to the letter.

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.

You must kill the processes which the virus is presently running. If you don't it will keep reproducing the files for ever.

To kill the processes:

1. Download to your desktop and run Rogue Kill:

https://download.bleepingcomputer.com/grinler/rkill.com

2. You should now see a window that shows all of your desktop icons, including the rkill.com program.

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Download to your desktop Malwarebyte.

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it kioskea.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

Once your computer is clean and working normally just to be on the safe side

*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

(Malwarebyte may reboot your computer, don't be alarmed. Should it happened, relaunch Malwarebyte to complete the FULL scan)

Once all this is completed, I always suggest to delete Malwarebyte as some people have reported that it may interfere with other antivirus applications.

You feedback on this solution would be most appreciated.

Good luck
0
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010
Apr 27, 2010 at 02:41 AM
I was able to solve 50% of the problem but there is rogue virus which is still haunting me...
I actually got an virus called TOTAL PC DEFENDER 2010 which looks like ANTIVIRUS product but neither u can stop it or uninstall it....
and from that I got ICPP foundation which dint allow me to get into my desktop but was able to get into task manager and opened the website mentioned and downloaded spyware tool to detect it and downloaded another antivirus PREVX to delete it and that point I was able to uninstall TOTAL PC DEFENDER through control panel .... but some how I got my desktop back but the ICPP FOUNDATION screen is not getting deleted ......
But I see there is still rogue virus which is residing on the Registery Keys... I want to know how to delete those .. Can I directly go to the registry key and check the path where rogue virus is residing and delete that or not ????

There was no IQManager\iqmanager.exe in the mentioned path but it was TOTAL PC DEFENDER in Documents & Settings and few other places but Some how I was able to uninstall it , but still rogue and other trojan virus is still haunting

Will above process help me out solve the issue ??
I will try today and let you know ..
Thanks for your valuable advice ....

Regards,
RT
0
liz - please help!!
Apr 26, 2010 at 09:23 AM
sorry to hijack your problem, however I have the same, it happened about an hour ago. is there anyone who can give a full-proof cure to this problem - was looking at the answer given below, downloaded R.kill - ran it but it came up with some binary coding pop up screen then did nothing- no window came up showing my desk to icons, and i cannot get to my desk top to see if it is there - the ICPP pop up screen is the only thing on there, appart from being able to access google as i previously had it open. And there fore cannot complete the rest of the steps to get rid of this virus!!!! Btw i am not very tecnical minded, so help would be greatly appriciated - and in quite easy instructions - this is really stressing me out - thanks.
0
liz - please help!!
Apr 26, 2010 at 10:17 AM
Hi RT1982,

I was wondering if you had managed to solve your problem? I would appreciate and feedback or ideas you may have? ... sorry if im bugging you. :(
0
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010
Apr 27, 2010 at 02:36 AM
I was able to solve 50% of the problem but there is rogue virus which is still haunting me...
I actually got an virus called TOTAL PC DEFENDER 2010 which looks like ANTIVIRUS product but neither u can stop it or uninstall it....
and from that I got ICPP foundation which dint allow me to get into my desktop but was able to get into task manager and opened the website mentioned and downloaded spyware tool to detect it and downloaded another antivirus PREVX to delete it and that point I was able to uninstall TOTAL PC DEFENDER through control panel .... but some how I got my desktop back but the ICPP FOUNDATION screen is not getting deleted ......
But I see there is still rogue virus which is residing the Registery Keys... I want to know how to delete those .. Can I directly go to the registry key and check the path where rogue virus is residing and delete that or not ????
0

Didn't find the answer you are looking for?

Ask a question
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,167
Apr 27, 2010 at 05:11 AM
Hello RT,

Can you post here a Hyjackthis log?

http://free.antivirus.com/hijackthis/

It would help a lot to examine your registry and processes.

Regards
0
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010
Apr 28, 2010 at 01:52 AM
Hi Ambucias,
Thank you for ur reply.
I was able to kill the process called APManager.exe and later the ICPP FOUNDATION screen got killed and removed it from the control panel as well and my desktop was operating normally and system got rebooted normally.
After that I got a COMBOFIX software from my IT Support as it wasn't my personal laptop. So couldnt use Hyjackthis to create a log but I ran COMBOFIX software and it produced a log as mentioned below. Can you let me know what doees this mean.
1. Am I free with all the viruses ???
2. How to confirm if I am free with all the viruses ????

COMBOFIX_LOG details
ComboFix 09-11-24.04 - rtummalapal3 04/27/2010 22:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1992.1087 [GMT 5.5:30]
Running from: c:\documents and settings\rtummalapal3\Desktop\ComboFix.exe
FW: Proventia Desktop *enabled* {7A3D7276-A50F-42DF-934D-D98EB0654282}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\windows\system32\instsrv.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-26 22:13 . 2010-04-26 22:13 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\Smart-Ads-Solutions
2010-04-26 21:27 . 2010-04-27 16:54 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-26 21:24 . 2010-04-26 21:26 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\GetRightToGo
2010-04-26 20:29 . 2009-12-11 12:35 3613560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\yvy10.exe
2010-04-26 20:06 . 2006-06-19 06:31 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-26 20:06 . 2006-05-25 09:22 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-26 20:06 . 2005-08-25 19:20 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-26 20:06 . 2003-02-02 13:36 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-04-26 20:06 . 2002-03-05 18:30 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-26 20:06 . 2010-04-26 20:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2010-04-26 20:06 . 2010-04-26 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-04-26 19:42 . 2010-04-26 19:42 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\Yahoo!
2010-04-26 19:22 . 2010-04-26 19:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-04-26 19:22 . 2010-04-26 22:06 -------- d-----w- c:\program files\Yahoo!
2010-04-26 19:05 . 2010-04-26 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-04-26 18:37 . 2010-04-26 19:05 -------- d-----w- c:\program files\IObit
2010-04-26 18:37 . 2010-04-26 19:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2010-04-26 16:36 . 2010-04-27 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-26 16:34 . 2010-04-27 16:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-26 16:32 . 2010-04-26 16:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2010-04-26 16:14 . 2010-04-27 15:50 -------- d-----w- c:\program files\PrevxEnterprise
2010-04-26 16:14 . 2010-04-27 15:50 -------- d-----w- C:\PrevxEnterprise
2010-04-26 15:58 . 2010-04-26 15:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2010-04-26 15:58 . 2010-04-26 15:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Smart-Ads-Solutions
2010-04-26 15:58 . 2010-04-26 15:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\ezLife
2010-04-26 15:58 . 2010-04-26 15:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Softonic_English
2010-04-26 15:57 . 2010-04-26 15:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-04-26 15:54 . 2010-04-26 15:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\1E
2010-04-25 15:06 . 2010-04-25 15:06 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\ezLife
2010-04-25 15:06 . 2010-04-25 15:06 48272 ----a-w- c:\windows\system32\fiujohrofgu.exe
2010-04-25 15:06 . 2010-04-25 15:06 -------- d-----w- c:\program files\ezLife
2010-04-25 15:06 . 2010-04-25 15:06 156672 ----a-w- c:\windows\Vhujua.exe
2010-04-25 15:06 . 2010-04-26 21:51 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\AE47D7B76AFE622337947D37BFE187DC
2010-04-25 15:06 . 2010-04-25 15:06 211968 ----a-w- c:\windows\system32\sshnas21.dll
2010-04-21 11:55 . 2010-04-21 11:55 299008 ----a-w- c:\windows\system32\jkyyyaxo.dll
2010-04-21 11:55 . 2010-04-21 11:55 319488 ----a-w- c:\windows\system32\vumemhhq.dll.vir
2010-04-19 09:29 . 2010-04-19 09:29 255472 ----a-w- c:\documents and settings\rtummalapal3\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-15 10:58 . 2010-04-15 10:58 384512 ----a-w- c:\windows\system32\jhyrospfjw.dll.vir
2010-04-07 22:56 . 2010-04-07 22:56 -------- d-----w- c:\windows\system32\winrm
2010-04-07 22:56 . 2010-04-07 22:56 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-04-06 23:01 . 2010-04-06 23:01 -------- d-----w- C:\cmpnents
2010-04-06 23:01 . 2010-04-06 23:01 -------- d-----w- C:\docs
2010-04-06 22:38 . 2009-10-19 07:36 130560 -c----w- c:\windows\system32\dllcache\aaclient.dll
2010-04-06 22:37 . 2008-04-14 00:11 12800 ------w- c:\windows\system32\credssp.dll
2010-04-06 22:22 . 2008-04-14 00:12 7680 ----a-w- c:\windows\system32\spdwnwxp.exe
2010-04-06 22:22 . 2008-04-14 00:12 20992 ------w- c:\windows\system32\spupdwxp.exe
2010-04-06 22:22 . 2008-04-14 00:12 20992 ------w- c:\windows\system32\faxpatch.exe
2010-04-01 16:58 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-04-01 16:58 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys
2010-04-01 16:58 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-04-01 16:58 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-03-30 15:43 . 2010-03-30 15:43 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-27 17:09 . 2008-11-24 16:30 -------- d-----w- c:\program files\McAfee
2010-04-27 17:09 . 2008-11-24 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-27 17:00 . 2009-10-17 04:19 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\Skype
2010-04-27 10:31 . 2009-04-16 05:22 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\skypePM
2010-04-26 19:00 . 2009-04-20 17:53 -------- d-----w- c:\program files\Softonic_English
2010-04-24 15:28 . 2010-03-27 14:10 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\vlc
2010-04-23 22:47 . 2008-11-22 09:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-19 19:53 . 2008-11-22 08:59 -------- d-----w- c:\program files\Patches
2010-04-17 15:04 . 2009-06-02 21:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 22:42 . 2008-11-22 07:46 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-27 14:11 . 2010-03-27 14:06 -------- d-----w- c:\program files\Graboid
2010-03-27 14:10 . 2010-03-27 14:10 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\MozillaControl
2010-03-27 14:09 . 2009-04-16 04:25 91128 ----a-w- c:\documents and settings\rtummalapal3\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-27 14:08 . 2010-03-27 14:08 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2010-03-27 10:14 . 2010-02-15 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-27 10:14 . 2010-02-16 08:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-27 10:13 . 2009-12-11 08:35 -------- d-----w- c:\program files\ClarifyCRM12iSR1.35
2010-03-23 17:26 . 2010-03-20 11:39 -------- d-----w- c:\documents and settings\rtummalapal3\Application Data\ActionVoip
2010-03-11 12:38 . 2008-11-22 14:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-11-22 14:31 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-11-22 14:30 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-11-22 14:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 08:53 . 2008-11-22 10:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-27 16:46 . 2010-02-27 13:12 -------- d-----w- c:\program files\Radio_Bar_1
2010-02-24 13:11 . 2008-11-22 14:32 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2008-11-22 14:32 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-11-22 14:30 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-11-22 14:33 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-04-21 11:55 . 2010-04-21 11:55 65536 ----a-w- c:\program files\mozilla firefox\components\ffxShot.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{930f1200-f5f1-4870-bac6-e233ec8e7023}"= "c:\program files\Softonic_English\tbSof0.dll" [2010-03-03 2349080]

[HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{930f1200-f5f1-4870-bac6-e233ec8e7023}]
2010-03-03 18:01 2349080 ----a-w- c:\program files\Softonic_English\tbSof0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9BA1E43-FEAA-496D-92E8-B50277EA77C6}]
2010-04-21 11:55 299008 ----a-w- c:\windows\system32\jkyyyaxo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{930f1200-f5f1-4870-bac6-e233ec8e7023}"= "c:\program files\Softonic_English\tbSof0.dll" [2010-03-03 2349080]

[HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{930F1200-F5F1-4870-BAC6-E233EC8E7023}"= "c:\program files\Softonic_English\tbSof0.dll" [2010-03-03 2349080]

[HKEY_CLASSES_ROOT\clsid\{930f1200-f5f1-4870-bac6-e233ec8e7023}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Pointsec Media Encryption Encrypted File]
@="{DFD0D93C-5C34-4db6-9760-F7A788D89B8E}"
[HKEY_CLASSES_ROOT\CLSID\{DFD0D93C-5C34-4db6-9760-F7A788D89B8E}]
2008-06-04 04:27 172032 ----a-w- c:\program files\Pointsec\Pointsec Media Encryption\Program\pmeshe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\rtummalapal3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-21 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-02-19 2633976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-03-10 136512]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2008-06-19 666176]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TPPOLL10"="c:\program files\TDCAM\TD0608\TPPOLL10.EXE" [2006-08-23 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-5-29 596584]

[___________________________________________________]
"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-10-26 23:41 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 15:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 15:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Pointsec Media Encryption]
2008-06-04 04:25 212992 ----a-w- c:\windows\system32\pmewnp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\D:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3862023818-561856838-1454042042-105058\Scripts\Logon\0\0]
"Script"=Block_AutoRun_User.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3862023818-561856838-1454042042-105058\Scripts\Logon\1\0]
"Script"=usermanual.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\rtummalapal3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\rtummalapal3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Pointsec Media Encryption Filter Driver;Pointsec Media Encryption Filter Driver;c:\windows\system32\drivers\psfilter.sys [6/4/2008 9:58 AM 118784]
R0 Pointsec Media Encryption Recognizer Driver;Pointsec Media Encryption Recognizer Driver;c:\windows\system32\drivers\psrec.sys [6/4/2008 9:58 AM 106240]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [6/19/2008 4:54 PM 222016]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 8:51 PM 19496]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/22/2008 1:59 PM 10880]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [11/22/2008 5:14 PM 13480]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [10/27/2008 5:03 AM 1676536]
R2 BlackICE;BlackICE;c:\program files\ISS\Proventia Desktop\blackd.exe [12/18/2008 12:27 PM 2011473]
R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [4/25/2007 11:55 PM 36957]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [10/27/2008 5:08 AM 98304]
R2 FSCLM Driver;FSCLM Driver;c:\windows\system32\drivers\fsclm.sys [6/4/2008 9:50 AM 97760]
R2 NightWatchman50;NightWatchman50;c:\program files\1E\NightWatchman50\NwmSvc.exe [5/27/2009 4:31 PM 1000728]
R2 NwmSleepless;NwmSleepless;c:\windows\system32\drivers\NwmSleepless.sys [10/7/2009 9:12 AM 42488]
R2 OracleOraHome92Agent;OracleOraHome92Agent;c:\oracle\ora92\bin\agntsrvc.exe [4/26/2002 5:29 PM 28944]
R2 OracleServiceCSC;OracleServiceCSC;c:\oracle\ora92\bin\ORACLE.EXE CSC --> c:\oracle\ora92\bin\ORACLE.EXE CSC [?]
R2 OracleServiceCSC1;OracleServiceCSC1;c:\oracle\ora92\bin\ORACLE.EXE CSC1 --> c:\oracle\ora92\bin\ORACLE.EXE CSC1 [?]
R2 Pointsec Media Encryption Driver;Pointsec Media Encryption Driver;c:\windows\system32\drivers\psfilenc.sys [6/4/2008 9:58 AM 113024]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [6/19/2008 4:55 PM 612928]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [6/19/2008 4:55 PM 145984]
R2 SDPrimer;SD Primer Agent;c:\sysmgt\sdprimer.exe [11/22/2008 3:15 PM 139264]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [10/23/2008 10:06 PM 1213728]
R2 sprtsvc_supportsoft_amer_csci;SupportSoft Sprocket Service (supportsoft_amer_csci);c:\program files\SupportSoft_AMER_CSCi\bin\sprtsvc.exe [10/23/2008 10:06 PM 202016]
R2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [11/22/2008 8:03 PM 14336]
R2 tgsrvc_supportsoft_amer_csci;SupportSoft Repair Service (supportsoft_amer_csci);c:\program files\SupportSoft_AMER_CSCi\bin\tgsrvc.exe [10/23/2008 10:06 PM 148768]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\ISS\Proventia Desktop\vpatch.exe [12/18/2008 12:28 PM 426333]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [12/24/2008 2:31 AM 482176]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [11/22/2008 5:13 PM 243856]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/18/2008 12:30 PM 26137]
R3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [12/18/2008 12:27 PM 76849]
R3 Pointsec Media Encryption Logging Service;Pointsec Media Encryption Logging Service;c:\program files\Pointsec\Pointsec Media Encryption\Program\pmelog.exe [6/4/2008 9:55 AM 311296]
R3 Pointsec Media Encryption Policy Service;Pointsec Media Encryption Policy Service;c:\program files\Pointsec\Pointsec Media Encryption\Program\pmepol.exe [6/4/2008 9:55 AM 299008]
R3 Pointsec Media Encryption Service;Pointsec Media Encryption Service;c:\program files\Pointsec\Pointsec Media Encryption\Program\pmefsvc.exe [6/4/2008 9:55 AM 313344]
R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [12/18/2008 12:27 PM 47788]
R4 black;black;c:\windows\system32\drivers\Blackcat.sys [12/18/2008 12:27 PM 197106]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
R4 pctgntdi;pctgntdi;\??\c:\windows\system32\drivers\pctgntdi.sys --> c:\windows\system32\drivers\pctgntdi.sys [?]
S2 gupdate1ca4ee13fa9a66;Google Update Service (gupdate1ca4ee13fa9a66);c:\program files\Google\Update\GoogleUpdate.exe [10/17/2009 9:49 AM 133104]
S2 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;c:\oracle\ora92\Apache\Apache\Apache.exe [4/18/2002 10:02 PM 4096]
S2 VMMEMCTL;VMware server memory controller;\??\c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys --> c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [?]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [10/27/2008 5:08 AM 106496]
S3 DCamUSBTP10;USB Video Camera ;c:\windows\system32\drivers\TD0608.SYS [2/12/2010 11:49 AM 241692]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\CSC VPN Client\Extranet_serv.exe [12/18/2008 12:30 PM 835584]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [10/27/2008 5:11 AM 118784]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/18/2008 12:30 PM 155152]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;c:\oracle\ora92\bin\encsvc.exe [2/13/2002 8:23 AM 187392]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;c:\oracle\ora92\bin\agntsvc.exe [2/13/2002 8:23 AM 254464]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [11/22/2008 1:59 PM 4608]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [11/22/2008 8:06 PM 15744]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [11/22/2008 1:59 PM 22528]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/22/2008 8:03 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
WINRM REG_MULTI_SZ WINRM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4115d76-29bf-11de-93ee-444553544200}]
\Shell\AutoRun\command - noda/noda32.exe
\Shell\explore\command - .////////noda/\\\\\noda32.exe
\Shell\open\command - noda/////////noda32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebaf174c-59d6-11de-9477-444553544200}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3b5118d-8431-11de-94c3-444553544200}]
\SHell\AutoRun\command - f:\temp\winsetup.exe
\SHell\OPen\COmMand - f:\temp\winsetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{C9A8D376-2D89-4556-8E9F-A42EEFBDD995}]
"c:\program files\Internet Explorer\hkcu.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4E90AD03-7AA2-462A-A792-A393C270ACED}]
regedit.exe /s "c:\support\LotusBak\HKCU-cleanup.reg"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D41A1F6-0687-4EFF-A47A-0BA7C5D7A5AE}]
msiexec /fpu {6D41A1F6-0687-4EFF-A47A-0BA7C5D7A5AE} /quiet

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-17 04:19]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-17 04:19]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3862023818-561856838-1454042042-105058Core.job
- c:\documents and settings\rtummalapal3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 17:35]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3862023818-561856838-1454042042-105058UA.job
- c:\documents and settings\rtummalapal3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 17:35]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://portal.csc.com
uInternet Settings,ProxyOverride = 20.*;170.*;*.csc.com;*.csci;<local>
uInternet Settings,ProxyServer = 20.198.64.13:6588
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ActionVoip - c:\program files\ActionVoip.com\ActionVoip\ActionVoip.exe
HKCU-Run-YVIBBBHA8C - c:\docume~1\RTUMMA~1\LOCALS~1\Temp\Vnx.exe
HKCU-Run-newupdate1142C.exe - c:\documents and settings\rtummalapal3\Application Data\AE47D7B76AFE622337947D37BFE187DC\newupdate1142C.exe
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-27 22:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92PagingServer]
"ImagePath"="c:\oracle\ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="c:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(408)
c:\windows\system32\pssogina.dll
c:\windows\system32\atginahook.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.DLL
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\AFSSClientLib.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\PssoCM32.dll
c:\windows\system32\pmewnp.dll

- - - - - - - > 'lsass.exe'(468)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2010-04-27 22:59
ComboFix-quarantined-files.txt 2010-04-27 17:29

Pre-Run: 27,369,615,360 bytes free
Post-Run: 27,542,204,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=alwaysoff /fastdetect
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

- - End Of File - - A61235C87F214F6E76959155345F5D50
0
reboot your computer in safemode with administrator account. download combofix and run it. it would restart the computer automatically in normal mode once its done. after that run malwarebyte tool to remove remaining infections.
0
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010
Apr 28, 2010 at 01:56 AM
Hi Liz,
Check for the process called XXManager.exe .. and kill that process by pressing CTRL + ALT + DELETE and go to Task Manager --> Process Tab and search for XXManager.exe (XX can be anything like AP, IQ or anything for that case )
I had a process called APManager.exe and killed it and I was able to kill the screen of ICPP foundation which was haunting me and later my desktop was restored..
And follow the below steps where AMBUCIAS has mentioned ... It definetly works out and it will help you to solve the issue.

Cheers,
RT
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,167
Apr 28, 2010 at 04:03 AM
RT

Thank you ever so much for the information. That virus is quite something isn't.
0
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010
Apr 28, 2010 at 05:19 AM
Hi Ambucias,
Did u check the log file of COMBOFIX which I have posted ... Am I free with all the viruses ???

Awaiting your reply.
Thank you
Regards,
RT
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,167
Apr 28, 2010 at 05:25 AM
Hello RT,

Bizarre but the log was never brought to my attention. I just checked it and everything seems fine.

I would last recommend to you to turn off your system restore for about 45 seconds, turn it back on and create a new restore point. In case of a problem, you will lnow it is a safe date to return to.

Best regards
0
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010
Apr 28, 2010 at 05:43 AM
Thank you very much .... I will do it and let you know tomorow ...
Now I can have smile on my face :)
0
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010
Apr 29, 2010 at 01:56 AM
Hi Ambucias,
I did run the rkill.exe and it got terminated after few minutes and got a log stating that rkill got terminated and later I ran Anti-malware and did a full scan and got the two logs as mentioned below:
1. Which says Quarantined and Deleted successfully ..... Which is good ... :)
2. Found but no action taken ..... Which is not good :(
Can I just go manually and deleted those infected files, there are few on the registry keys. Can I delete those by going to registry ?????

As you mentioned I stopped System Restore for 45 seconds and created a New Restore point.

-------------Start-Quarantined and Deleted Successfully-----------
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4048

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/29/2010 4:01:42 AM
mbam-log-2010-04-29 (04-01-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 276617
Time elapsed: 1 hour(s), 32 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 13
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jkyyyaxo.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a9722a0d-365f-47d2-b70b-37d046316d99} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fiujohrofgu (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CscrptXt.CscrptXt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ezLife (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adhlpr.adhlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adhlpr.adhlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9ba1e43-feaa-496d-92e8-b50277ea77c6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9ba1e43-feaa-496d-92e8-b50277ea77c6} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\rtummalapal3\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\rtummalapal3\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\rtummalapal3\Application Data\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\rtummalapal3\Application Data\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife\1.5.2.0 (Adware.EzLife) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\jkyyyaxo.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\ffxShot.dll (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1471028-A3B6-45F0-B61C-BCCBBD77C9C5}\RP222\A0108334.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1471028-A3B6-45F0-B61C-BCCBBD77C9C5}\RP229\A0109452.dll (Adware.IEhlpr) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1471028-A3B6-45F0-B61C-BCCBBD77C9C5}\RP231\A0112313.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1471028-A3B6-45F0-B61C-BCCBBD77C9C5}\RP231\A0112541.exe (Trojan.FraudTool) -> Quarantined and deleted successfully.
C:\WINDOWS\Vhujua.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fiujohrofgu.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jhyrospfjw.dll.vir (Adware.IEhlpr) -> Quarantined and deleted successfully.
C:\Documents and Settings\rtummalapal3\Application Data\ezLife\ezLife\log.xml (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\ezLife\ezLife\log.xml (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife\1.5.2.0\uninstall.exe (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\nsFFxSHot.xpt (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\rtummalapal3\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\rtummalapal3\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vumemhhq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
-------------End-Quarantined and Deleted Successfully-----------

2. -------------Start-Quarantined and No Action Taken-----------
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4048

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/29/2010 4:01:19 AM
MALWARE LOG.txt

Scan type: Full scan (C:\|)
Objects scanned: 276617
Time elapsed: 1 hour(s), 32 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 13
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jkyyyaxo.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{a9722a0d-365f-47d2-b70b-37d046316d99} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fiujohrofgu (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\CscrptXt.CscrptXt (Adware.EZlife) -> No action taken.
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ezLife (Adware.EZlife) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife (Adware.EzLife) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adhlpr.adhlpr (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adhlpr.adhlpr.1.0 (Adware.Adrotator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9ba1e43-feaa-496d-92e8-b50277ea77c6} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d9ba1e43-feaa-496d-92e8-b50277ea77c6} (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\rtummalapal3\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
C:\Documents and Settings\rtummalapal3\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> No action taken.
C:\Documents and Settings\Administrator\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
C:\Documents and Settings\Administrator\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> No action taken.
C:\Documents and Settings\rtummalapal3\Application Data\ezLife (Adware.EzLife) -> No action taken.
C:\Documents and Settings\rtummalapal3\Application Data\ezLife\ezLife (Adware.EzLife) -> No action taken.
C:\Documents and Settings\Administrator\Application Data\ezLife (Adware.EzLife) -> No action taken.
C:\Documents and Settings\Administrator\Application Data\ezLife\ezLife (Adware.EzLife) -> No action taken.
C:\Program Files\ezLife (Adware.EzLife) -> No action taken.
C:\Program Files\ezLife\ezLife (Adware.EzLife) -> No action taken.
C:\Program Files\ezLife\ezLife\1.5.2.0 (Adware.EzLife) -> No action taken.

Files Infected:
C:\WINDOWS\system32\jkyyyaxo.dll (Trojan.BHO) -> No action taken.
C:\Program Files\Mozilla Firefox\components\ffxShot.dll (Adware.Adrotator) -> No action taken.
C:\System Volume Information\_restore{D1471028-A3B6-45F0-B61C-BCCBBD77C9C5}\RP222\A0108334.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{D1471028-A3B6-45F0-B61C-BCCBBD77C9C5}\RP229\A0109452.dll (Adware.IEhlpr) -> No action taken.
C:\System Volume Information\_restore{D1471028-A3B6-45F0-B61C-BCCBBD77C9C5}\RP231\A0112313.exe (Malware.Packer.Gen) -> No action taken.
C:\System Volume Information\_restore{D1471028-A3B6-45F0-B61C-BCCBBD77C9C5}\RP231\A0112541.exe (Trojan.FraudTool) -> No action taken.
C:\WINDOWS\Vhujua.exe (Trojan.FraudPack.Gen) -> No action taken.
C:\WINDOWS\system32\fiujohrofgu.exe (Adware.Adrotator) -> No action taken.
C:\WINDOWS\system32\jhyrospfjw.dll.vir (Adware.IEhlpr) -> No action taken.
C:\Documents and Settings\rtummalapal3\Application Data\ezLife\ezLife\log.xml (Adware.EzLife) -> No action taken.
C:\Documents and Settings\Administrator\Application Data\ezLife\ezLife\log.xml (Adware.EzLife) -> No action taken.
C:\Program Files\ezLife\ezLife\1.5.2.0\uninstall.exe (Adware.EzLife) -> No action taken.
C:\Program Files\Mozilla Firefox\components\nsFFxSHot.xpt (Adware.Adrotator) -> No action taken.
C:\Documents and Settings\rtummalapal3\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> No action taken.
C:\Documents and Settings\rtummalapal3\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> No action taken.
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\vumemhhq.dll.vir (Trojan.Vundo) -> No action taken.
-------------End-Quarantined and No Action Taken-----------
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,167
Apr 29, 2010 at 05:09 AM
Hello RT

This is very interesting log, I will keep it for reference and posterity.
Yes you certainly can delete those registry entries for I would do it because I would as if there is a stranger in the house, a wolf in the sheep pen.

After deletion, again, please create another restore point.

Thank you for the log.

Best regards
0
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010
Apr 29, 2010 at 05:44 AM
Thank you Ambucias .. I would delete all the registry keys which are infected and create another restore point and run the ANTIMALWARE again to confirm ... and post u the log again tomorow . Thank you for your advice and solution.
0
RT1982 Posts 10 Registration date Monday April 26, 2010 Status Member Last seen April 30, 2010
Apr 30, 2010 at 05:55 AM
HI Ambucias ..
I tried to delete those which were not deleted by ANTIMALWARE but I couldnt find anything which were mentionied in the path of the LOG (QUARANTINED and NOT ACTION TAKEN)
so I assume that my laptop is free with viruses
I have a smal clarrification .... In my WINDOWS folder i.e. I see lot of hidden folders with $UNINSTALLXXXX
C:\WINDOWS\$UNINSTALLXXXX .. what are these folders .. Can I delete those folders ..?????

Thank you for all your comments and feedback, which really helped me to solve my issue ....

Regards,
RT
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,167
Apr 30, 2010 at 06:02 AM
Hello RT

The uninstall folder are from the different Windows security updates (KBxxxxx). If you did not encounter any problems with an update, you can delete it. I usually keep the last one received. By deleting them you gain disk space.

Good luck
0
I have just been faced with this virus. I got so worried because it gives very accurate information including reference to my University computing services department that had I not tried to visit the ICPP website I would have not come aross the fact that this is a virus.

This blog is so helpful. I am currently running one of the suggestions to see how I can get rid of this. Will keep you all posted.
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,167
May 2, 2010 at 04:38 PM
Thank you Berry, please do!
0