also @ TechSpot: Android 4.0: Tracking Ice Cream Sandwich's Availability on Smartphones

TechSpot

TechSpot News Products Downloads Forums

Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Active] PC infected - ran 5 steps - is PC clean?

Discussion in 'Virus and Malware Removal' started by cjanien, Nov 21, 2011.

Page 1 of 2

cjanien Newcomer, in training

Hi,

My wife's computer was infected with malware/virus. I have used Spybot with nothing found. I then went through the 5 step process in the FAQ downloading and running Malwarebytes, GMER, and DDS. It looks like these routines found problems. Below are the logs for the 3 programs.

I would like to know if the PC is now "disinfected" and is there any way to know the source of the virus so that it can be avoided. What should I be running to avoid future infection (PC is running XP but advise on W7 would be helpful too).

Thanks,

Chris

Malwarebytes log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8203

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/20/2011 8:54:36 PM
mbam-log-2011-11-20 (20-54-36).txt

Scan type: Quick scan
Objects scanned: 208813
Time elapsed: 15 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Agent) -> Value: RTHDBPL -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\chris janien\application data\systemproc (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Hawkins\local settings\Temp\~!#29.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Hawkins\local settings\Temp\~!#2A.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
c:\documents and settings\Hawkins\local settings\Temp\~!#2C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Hawkins\local settings\Temp\2D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\privacy.exe (Rogue.PrvacyProtect) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.

cjanien, Nov 21, 2011

#1
cjanien Newcomer, in training

I'm trying to post GMER.log but it is too long - 500,000+ vs 50,000 limit.

DDS.TXT will not post because there are 7 images which is over the 6 image limit. I don't understand this as I am cutting and pasting teh exact file with nothing added.

Cannot find ATTACH.TXT

How do I get there files posted?

cjanien, Nov 21, 2011

#2
cjanien Newcomer, in training

Part 1 of DDS.TXT

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_16
Run by Chris Janien at 22:06:11 on 2011-11-20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3032.2113 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\DTS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\AtService.exe
C:\WINDOWS\system32\FpLogonServ.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe

cjanien, Nov 21, 2011

#3
cjanien Newcomer, in training

============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\Amsg.exe /startup
mRun: [CameraApplicationLauncher] c:\program files\lenovo\camera center\bin\CameraApplicationLaunchpadLauncher.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [ToolboxFX] "c:\program

cjanien, Nov 21, 2011

#4
cjanien Newcomer, in training

Edit to condense lot in previous post.

cjanien, Nov 21, 2011

#5
cjanien Newcomer, in training

Edit to condense log into previous post.

cjanien, Nov 21, 2011

#6
cjanien Newcomer, in training

Edit to condense log in to previous post.

cjanien, Nov 21, 2011

#7
cjanien Newcomer, in training

Edit to condense log in to previous post.
DDS log is continued below.

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli ACGina
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-9-21 25968]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2011-3-29 20592]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-20 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-20 320856]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-9-21 13680]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-20 20568]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-26 1676536]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-20 44768]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-9-21 292200]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-26 98304]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-10-26 118784]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2010-10-25 145920]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-10-26 69632]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\thinkpad\utilities\PWMEWSVC.exe [2011-9-21 148840]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-9-21 130920]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-9-23 64952]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-14 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 360448]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-10-26 2058776]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [2010-10-26 72448]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2010-10-26 482176]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-10-26 241880]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2010-10-26 23080]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-6 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-9-21 45496]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-26 106496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-6 136176]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [2011-5-11 20504]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [2011-5-11 21528]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-11-21 01:30:09 -------- d-----w- c:\documents and settings\chris janien\application data\Malwarebytes
2011-11-21 01:29:45 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-21 01:29:41 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 01:29:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-20 23:32:16 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-20 23:32:07 41184 ----a-w- c:\windows\avastSS.scr
2011-11-20 23:31:56 -------- d-----w- c:\program files\AVAST Software
2011-11-20 23:31:56 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
.
==================== Find3M ====================
.
2011-10-19 18:14:06 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-22 03:15:05 73728 ------w- c:\windows\system32\javacpl.cpl
2011-09-22 03:15:05 472808 ------w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 22:06:54.48 ===============

cjanien, Nov 21, 2011

#8
cjanien Newcomer, in training

One line in the DDS.TXT file would not load for some reason so I have parsed it out.

cjanien, Nov 21, 2011

#9
cjanien Newcomer, in training

Re ran GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-21 02:14:17
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.FC2Z
Running: ucjzuyfi.exe; Driver: C:\DOCUME~1\CHRISJ~1\LOCALS~1\Temp\ugtdipog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0x99BC5D5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0x99BC5BC5]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x99C1D9A6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

cjanien, Nov 21, 2011

#10
Bobbye Helper on the Fringe

Welcome to TechSpot! It would have been easier for you-and me- if you pasted as much of a log that could fit in a post instead of pieces of it. I'm going to try to get it together. will be back.

Bobbye, Nov 21, 2011

#11
Bobbye Helper on the Fringe
Please don't string the logs out like you did with DDS. I have edited the posts and added most of the DDS.txt sections together, with the remainder in the following post.

I cannot tell at this point if the system is clean. There were Worms and rogue software programs found. Why couldn't you paste in the Attach.txt log from DDS?

Are all the entries for the Citrix XenApp (formerly Citrix MetaFrame Server and Citrix Presentation Server) set up intentionally and are they all necessary? The multiple filter entries are Name(s): application/x-ica, ica
Filename: IcaMimeFilter.dll
=====================================================
Please let me know about the Attach.txt problem.
=====================================================

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the on your desktop.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button

Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=========================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==================================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.

Read my instructions carefully. If you don't understand or have a problem, ask me.

If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.

Follow the order of the tasks I give you. Order is crucial in cleaning process.

File sharing programs should be uninstalled or disabled during the cleaning process..

Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

It would be helpful for you to tell me what problems were being caused, not just that you had malware.
Bobbye, Nov 21, 2011

#12
cjanien Newcomer, in training

Hi Bobbye,

Sorry about the multiple posts of GMER and thank you for condensing my posts.

The reason for the multiple posts of GMER is that one line of the log was stopping my upload to Techspot. I kept getting an error saying I had 7 graphics in the upload and was only allowed 6. The only way to figure out where the problem was was to parse the file and send it in pieces. Fortunately the multiple GMER msgs are in sequence.

Also on my first run of GMER I got a log file that was 500,000+ characters. It was too big to upload as Techspot would only take 50,000. I think I may have caused that problem by hitting the "scan" button once GMER opened. You might want make the FAQ a little clearer on that point.

The ATTACH.TXT does not exist. I've done several searchs of the entire disk and could not find the file. Even searching by create date, in case I had the name wrong, did not find anything. Should I rerun DDS? Where does DDS place the ATTACH.TXT file?

The Citrix programs are necessary for accessing a cloud program and database. IcaMimeFilter.dll is part of the Citrix package as it is sitting in the Citrix directory.

I will run the additional programs as you have instructed and post the results unless you need me to run DDS first to get a new ATTACH.TXT file.

Thanks for all of your help,

Chris

PS do you want to see the one GMER line in that log that caused the upload problem?

cjanien, Nov 21, 2011

#13
Bobbye Helper on the Fringe

You should not have had any images (graphics) in the logs. Don't put any 'Smileys' in the post. We have increased the allowed character limit- this is usually enough to hold the prelim. logs. But another post can be used if needed.

Also on my first run of GMER I got a log file that was 500,000+ characters. It was too big to upload as Techspot would only take 50,000. I think I may have caused that problem by hitting the "scan" button once GMER opened. You might want make the FAQ a little clearer on that point.

There is a

Warning ! Please, do not select the "Show all" checkbox during the scan.

right above "Post the log." If a member overlooks that and does 'show all', it will generate a huge, multi-post log. Perhaps that's what happened to you. I don't need that last line now.

I guess you did a search for Attach.txt in the system. If you cannot find it, please run DDS again. Just paste in the Attach.exe log- I don't need the other one again. Please ignore the instruction to 'not post unless asked' and to 'zip'- just paste it in. The log you fragmented that I edited together was for a large section of the DDS.txt log.

Please paste the Attach.txt log in first. Follow that with the log from the Eset online virus scan.

Just so you don't run into the problem again, go ahead to another reply for the Combofix log. There is sometimes a section in the middle of the log which can make it lengthy, but I can't predict that. If you do need to split that logs, split at the end of a section, not in the middle.

No problem with Citrix. Just being on the safe side.

Bobbye, Nov 21, 2011

#14
cjanien Newcomer, in training

ATTACH.TXT

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/26/2010 9:31:15 PM
System Uptime: 11/21/2011 9:48:39 AM (5 hours ago)
.
Motherboard: LENOVO | | 7454CTO
Processor: Intel Pentium III Xeon processor | None | 2393/266mhz
Processor: Intel Pentium III Xeon processor | None | 2394/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 142 GiB total, 115.388 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) Active Management Technology - SOL
Device ID: PCI\VEN_8086&DEV_2A47&SUBSYS_20EC17AA&REV_07\3&B1BFB68&0&1B
Manufacturer: Intel
Name: Intel(R) Active Management Technology - SOL (COM4)
PNP Device ID: PCI\VEN_8086&DEV_2A47&SUBSYS_20EC17AA&REV_07\3&B1BFB68&0&1B
Service: Serial
.
==== System Restore Points ===================
.
RP152: 8/24/2011 12:03:07 PM - System Checkpoint
RP153: 8/25/2011 5:29:14 PM - System Checkpoint
RP154: 8/29/2011 12:14:55 PM - System Checkpoint
RP155: 8/30/2011 8:20:59 PM - System Checkpoint
RP156: 9/1/2011 3:50:05 PM - System Checkpoint
RP157: 9/3/2011 12:45:38 AM - System Checkpoint
RP158: 9/4/2011 4:21:37 AM - System Checkpoint
RP159: 9/5/2011 8:21:37 AM - System Checkpoint
RP160: 9/6/2011 12:04:17 PM - System Checkpoint
RP161: 9/8/2011 8:48:28 PM - System Checkpoint
RP162: 9/11/2011 5:46:08 PM - System Checkpoint
RP163: 9/12/2011 6:00:14 PM - Removed HP Update.
RP164: 9/21/2011 11:11:01 PM - Removed Adobe Reader 8.2.6
RP165: 9/21/2011 11:14:58 PM - Installed Java(TM) 6 Update 26
RP166: 9/21/2011 11:50:00 PM - Installed ThinkPad Power Management Driver
RP167: 9/22/2011 12:24:12 AM - Installed Power Manager
RP168: 9/22/2011 12:25:20 AM - Installed Message Center
RP169: 9/22/2011 2:25:45 AM - Software Distribution Service 3.0
RP170: 10/7/2011 4:12:29 PM - System Checkpoint
RP171: 10/8/2011 3:00:12 AM - Software Distribution Service 3.0
RP172: 10/9/2011 6:26:29 PM - System Checkpoint
RP173: 10/10/2011 8:31:16 PM - System Checkpoint
RP174: 10/11/2011 11:10:03 PM - System Checkpoint
RP175: 10/12/2011 10:53:34 AM - Software Distribution Service 3.0
RP176: 10/13/2011 11:27:09 AM - System Checkpoint
RP177: 10/14/2011 11:21:14 PM - Configured Presentation Director
RP178: 10/14/2011 11:21:48 PM - Installed EasyEject Utility
RP179: 10/14/2011 11:22:32 PM - Installed ThinkVantage Access Connections
RP180: 10/14/2011 11:23:21 PM - Installed ThinkPad Keyboard Customizer Utility
RP181: 10/14/2011 11:24:02 PM - Installed Access Help
RP182: 10/14/2011 11:24:41 PM - Installed Help Center
RP183: 10/16/2011 10:27:37 PM - System Checkpoint
RP184: 10/20/2011 12:34:20 AM - System Checkpoint
RP185: 10/21/2011 8:53:37 AM - System Checkpoint
RP186: 10/24/2011 4:54:29 PM - System Checkpoint
RP187: 10/25/2011 9:26:18 PM - System Checkpoint
RP188: 10/26/2011 9:49:49 PM - System Checkpoint
RP189: 10/27/2011 10:49:49 PM - System Checkpoint
RP190: 10/29/2011 4:32:29 PM - System Checkpoint
RP191: 10/30/2011 5:12:27 PM - System Checkpoint
RP192: 10/31/2011 11:18:34 PM - System Checkpoint
RP193: 11/2/2011 12:16:09 AM - System Checkpoint
RP194: 11/3/2011 11:40:07 AM - System Checkpoint
RP195: 11/4/2011 2:58:11 PM - System Checkpoint
RP196: 11/5/2011 6:46:48 PM - System Checkpoint
RP197: 11/6/2011 6:38:07 PM - System Checkpoint
RP198: 11/7/2011 7:04:39 PM - System Checkpoint
RP199: 11/9/2011 4:58:01 PM - System Checkpoint
RP200: 11/10/2011 9:53:08 AM - Software Distribution Service 3.0
RP201: 11/13/2011 10:58:06 PM - System Checkpoint
RP202: 11/15/2011 10:50:21 AM - System Checkpoint
RP203: 11/16/2011 11:31:05 PM - System Checkpoint
RP204: 11/18/2011 7:46:28 PM - System Checkpoint
RP205: 11/20/2011 6:31:56 PM - avast! Free Antivirus Setup
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Access Help
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 8.3.1
avast! Free Antivirus
Camera Center
CCleaner
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Client Security - Password Manager
Conexant 20561 SmartAudio HD
Design Manager Professional 5.0
Google Chrome
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Update Helper
Help Center
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB889816)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB894686)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB898456)
Hotfix for Windows XP (KB903250)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB909667)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB916189)
Hotfix for Windows XP (KB917332)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB918837)
Hotfix for Windows XP (KB923293)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Hotfix for Windows XP (KB934205)
Hotfix for Windows XP (KB935192)
Hotfix for Windows XP (KB949483)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP LaserJet Professional CM1410 Series
HP LJ CM1410 MFP Series HP Scan
HP Update
HPLaserJetHelp_LearnCenter
HPLJUT
hppCM1410LaserJetService
hppFaxDrvCM1410
hppFaxUtilityCM1410
hppLaserJetService
hppSendFaxCM1410
hppTLBXFXCM1410
hpzTLBXFX
I.R.I.S. OCR
Integrated Camera Driver Installer Package Ver.1.18.500.0
Integrated Camera TWAIN
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Network Connections Drivers
Intel(R) PROSet/Wireless WiFi Software
Intel® Active Management Technology
Intel® Trusted Platform Module
J2SE Runtime Environment 5.0 Update 16
Java Auto Updater
Java(TM) 6 Update 26
Lenovo Auto Scroll Utility
Lenovo Fingerprint Software
Lenovo Registration
Lenovo System Interface Driver
Malwarebytes' Anti-Malware version 1.51.2.1300
Marketsplash Shortcuts
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobile Broadband Connect
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
On Screen Display
PC-Doctor 5 for Windows
Presentation Director
Productivity Center Supplement for ThinkPad
Rescue and Recovery
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Skype™ 5.0
Spybot - Search & Destroy
System Migration Assistant
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Integration Setup
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Modem Adapter
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad TrackPoint Driver
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB912945)
Update for Windows XP (KB925720)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Wireless BroadbandAccess Self Activation
Wallpapers
WebFldrs XP
Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (10/02/2008 8.1.2.37)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Toolbar
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883517
Windows XP Hotfix - KB883523
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB884868
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885894
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889315
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB896613
XP Themes
.
==== Event Viewer Messages From Past Week ========
.
11/20/2011 7:00:36 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 12 time(s).
11/20/2011 7:00:00 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 11 time(s).
11/20/2011 6:58:27 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 10 time(s).
11/20/2011 6:55:36 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 9 time(s).
11/20/2011 6:54:35 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 8 time(s).
11/20/2011 6:53:47 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 7 time(s).
11/20/2011 6:52:57 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 6 time(s).
11/20/2011 6:52:24 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 5 time(s).
11/20/2011 6:51:46 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 4 time(s).
11/20/2011 5:42:35 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
11/20/2011 5:39:09 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/20/2011 5:38:24 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'serial.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/20/2011 5:38:22 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/20/2011 5:36:23 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Print Spooler service to connect.
11/20/2011 5:36:23 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/20/2011 5:35:23 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/18/2011 6:21:04 PM, error: Dhcp [1002] - The IP address lease 192.168.1.118 for the Network Card with network address 00216A33492C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

cjanien, Nov 21, 2011

#15
cjanien Newcomer, in training

Duplicate post

cjanien, Nov 21, 2011

#16
cjanien Newcomer, in training

ESET Online Scanner did not find anything.

ComboFix 11-11-21.01 - Chris Janien 11/21/2011 18:30:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3032.2503 [GMT -5:00]
Running from: c:\doc\Download\Combofix\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Hawkins\Application Data\.#
c:\windows\$NtUninstallKB48551$
c:\windows\$NtUninstallKB48551$\3677382295\@
c:\windows\$NtUninstallKB48551$\3677382295\bckfg.tmp
c:\windows\$NtUninstallKB48551$\3677382295\cfg.ini
c:\windows\$NtUninstallKB48551$\3677382295\Desktop.ini
c:\windows\$NtUninstallKB48551$\3677382295\kwrd.dll
c:\windows\$NtUninstallKB48551$\3677382295\L\hvmonmrs
c:\windows\$NtUninstallKB48551$\3677382295\lsflt7.ver
c:\windows\$NtUninstallKB48551$\3677382295\U\00000001.@
c:\windows\$NtUninstallKB48551$\3677382295\U\00000002.@
c:\windows\$NtUninstallKB48551$\3677382295\U\00000004.@
c:\windows\$NtUninstallKB48551$\3677382295\U\80000000.@
c:\windows\$NtUninstallKB48551$\3677382295\U\80000004.@
c:\windows\$NtUninstallKB48551$\3677382295\U\80000032.@
c:\windows\$NtUninstallKB48551$\3711939319
.
.
((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
.
.
2011-11-21 23:07 . 2011-11-21 23:08 -------- d-----w- C:\rei
2011-11-21 23:07 . 2011-11-21 23:07 -------- d-----w- c:\program files\Reimage
2011-11-21 01:30 . 2011-11-21 01:30 -------- d-----w- c:\documents and settings\Chris Janien\Application Data\Malwarebytes
2011-11-21 01:29 . 2011-11-21 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-21 01:29 . 2011-11-21 01:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-21 01:29 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-20 23:33 . 2011-11-20 23:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-11-20 23:32 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-20 23:32 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-20 23:32 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-20 23:32 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-20 23:32 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-20 23:32 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-20 23:32 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-20 23:32 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-20 23:32 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-20 23:32 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-20 23:31 . 2011-11-20 23:31 -------- d-----w- c:\program files\AVAST Software
2011-11-20 23:31 . 2011-11-20 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 18:14 . 2011-09-22 03:44 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-22 03:15 . 2011-09-22 03:15 73728 ------w- c:\windows\system32\javacpl.cpl
2011-09-22 03:15 . 2011-09-22 03:15 472808 ------w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-07 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-03-26 62312]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-09-29 93472]
"TpShocks"="TpShocks.exe" [2011-03-29 337256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-08 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-08 124248]
"AMSG"="c:\progra~1\THINKV~1\AMSG\Amsg.exe" [2009-09-03 436800]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2008-08-12 16384]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2011-07-04 800104]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2011-07-04 208896]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2011-04-14 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2011-04-14 189800]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-14 3073336]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"ToolboxFX"="c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-13 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-13 170008]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-13 145432]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-3-28 596584]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-10-26 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-10-27 01:41 180224 ------w- c:\windows\system32\FpWinlogonNp.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\csiInstaller\\0EF0EA0D-F945-4958-85CC-60FF1E86D216\\Installer\\hpbcsiInstaller.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [9/21/2011 11:24 PM 25968]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/29/2011 6:12 PM 20592]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/20/2011 6:32 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/20/2011 6:32 PM 320856]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 11:51 AM 65584]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/21/2011 10:50 PM 13680]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 7:50 AM 46144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/20/2011 6:32 PM 20568]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [10/26/2008 8:33 PM 1676536]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [9/21/2011 11:24 PM 292200]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [10/26/2008 8:38 PM 98304]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [10/26/2008 8:41 PM 118784]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [10/25/2010 1:53 PM 145920]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/26/2010 8:20 PM 69632]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.exe [9/21/2011 11:24 PM 148840]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [9/21/2011 10:50 PM 130920]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/23/2008 9:20 PM 64952]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 6:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 7:50 AM 360448]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/26/2010 8:03 PM 2058776]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [10/26/2010 8:06 PM 72448]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [10/26/2010 8:12 PM 482176]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [10/26/2010 7:51 PM 241880]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [10/26/2010 8:06 PM 23080]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 5:54 PM 37312]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/6/2010 10:06 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/21/2011 10:50 PM 45496]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [10/26/2008 8:38 PM 106496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/6/2010 10:06 PM 136176]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [5/11/2011 11:37 PM 20504]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [5/11/2011 11:37 PM 21528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-21 c:\windows\Tasks\At2.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\At3.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\At4.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-10 c:\windows\Tasks\At5.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\At6.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-19 c:\windows\Tasks\At7.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\At8.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]
.
2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 03:06]
.
2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 03:06]
.
2011-11-21 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-10-27 05:39]
.
2011-11-21 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-11-07 12:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 68.87.71.230
.
- - - - ORPHANS REMOVED - - - -
.
Notify-ACNotify - ACNotify.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-21 18:55
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1016)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
.
- - - - - - - > 'explorer.exe'(5444)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\MSCTF.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\LENOVO\HOTKEY\tposdsvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
c:\windows\system32\igfxext.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft Office\Office\1033\msoffice.exe
c:\progra~1\ThinkPad\UTILIT~1\SCHTASK.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-11-21 18:59:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-21 23:59
.
Pre-Run: 123,865,833,472 bytes free
Post-Run: 124,202,110,976 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 490F0DD9E4F375797A30AC734EB4E1D5

cjanien, Nov 21, 2011

#17
cjanien Newcomer, in training

Bobbye,

I did get a notification from Combofix that Rootkit.ZeroAccess was inserted in to TCP/IP stack and then again that RootKit detected.

Not happy about this. I appreciate your help.

Chris

cjanien, Nov 21, 2011

#18
Bobbye Helper on the Fringe
Remove Zero.Access

I just put this together and haven't had time to do all the formatting yet, but what you need is here:
Determine if you are infected with Zero.Access

1. Open the Task Manager by pressing Ctrl + Shift + Esc on your keyboard or by right-clicking the Start Menu bar and selecting Task Manager.

2. Be sure that "Show processes from all users" is selected at the bottom left-hand corner of the window. Click "Image Name" to sort this column alphabetically and then look at the top of the list.

If you are infected with the Zero.Access rootkit, you will see a running process such as "1077238835:3433286335.exe" (example only; your computer may display different numbers).

ESET has provided a stand-alone malware removal tool to remove this particularly resilient threat. Follow the steps below.

1. Download, save and run the 'Win32/Sirefef' stand-alone malware removal tool while in Normal Mode and follow the prompts as directed.
2. Restart your computer into Safe Mode with Networking after running the stand-alone tool.
Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.

Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.

3. Run the ESET Online Scanner while in Safe Mode with Networking.

If you receive an error during any part of the process, locate the ESET Online Scanner program by clicking Start Control Panel Add/Remove Programs and remove it from your system. Run the scan again by double-clicking the esetsmartinstaller.exe installer you downloaded before. No restart is necessary after running the ESET Online Scanner.

4. Once the machine is clean and while still in Safe Mode with Networking, run the ESET Uninstaller. Follow the instructions by clicking the following link:

Windows Vista/Home Server/XP/2003 R2/2003/2000

5. The infection should be removed. Restart your computer normally.

Please let me know how this goes.

Combofix has removed one of the related entries.
=============================================
To anyone who may be reviewing this thread: Note: These directions are only for the member who started this thread. Do not attempt to run this on your own.
Bobbye, Nov 22, 2011

#19
cjanien Newcomer, in training

Did not see the ZeroAccess process running in the task manager. Should I run any other routines or cleanup?

cjanien, Nov 23, 2011

#20

(You must log in or sign up to reply here.)

Page 1 of 2

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved