TechSpot

PC infected - ran 5 steps - is PC clean?

By cjanien
Nov 21, 2011
  1. Hi,

    My wife's computer was infected with malware/virus. I have used Spybot with nothing found. I then went through the 5 step process in the FAQ downloading and running Malwarebytes, GMER, and DDS. It looks like these routines found problems. Below are the logs for the 3 programs.

    I would like to know if the PC is now "disinfected" and is there any way to know the source of the virus so that it can be avoided. What should I be running to avoid future infection (PC is running XP but advise on W7 would be helpful too).

    Thanks,

    Chris

    Malwarebytes log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8203

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    11/20/2011 8:54:36 PM
    mbam-log-2011-11-20 (20-54-36).txt

    Scan type: Quick scan
    Objects scanned: 208813
    Time elapsed: 15 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 4
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Agent) -> Value: RTHDBPL -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\documents and settings\chris janien\application data\systemproc (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\Hawkins\local settings\Temp\~!#29.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\Hawkins\local settings\Temp\~!#2A.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
    c:\documents and settings\Hawkins\local settings\Temp\~!#2C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Hawkins\local settings\Temp\2D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\privacy.exe (Rogue.PrvacyProtect) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
     
  2. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    I'm trying to post GMER.log but it is too long - 500,000+ vs 50,000 limit.

    DDS.TXT will not post because there are 7 images which is over the 6 image limit. I don't understand this as I am cutting and pasting teh exact file with nothing added.

    Cannot find ATTACH.TXT

    How do I get there files posted?
     
  3. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Part 1 of DDS.TXT

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_16
    Run by Chris Janien at 22:06:11 on 2011-11-20
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3032.2113 [GMT -5:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\DTS.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\AtService.exe
    C:\WINDOWS\system32\FpLogonServ.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\AMT\LMS.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
    C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
    C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
    C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
    C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
    C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
    C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\system32\wscntfy.exe
     
  4. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
    BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    BHO: 1 (0x1) - No File
    BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
    mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
    mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
    mRun: [TpShocks] TpShocks.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
    mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
    mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
    mRun: [AMSG] c:\progra~1\thinkv~1\amsg\Amsg.exe /startup
    mRun: [CameraApplicationLauncher] c:\program files\lenovo\camera center\bin\CameraApplicationLaunchpadLauncher.exe
    mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
    mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
    mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
    mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
    mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
    mRun: [ToolboxFX] "c:\program
     
  5. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Edit to condense lot in previous post.
     
  6. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Edit to condense log into previous post.
     
  7. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Edit to condense log in to previous post.
     
  8. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Edit to condense log in to previous post.
    DDS log is continued below.

    Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: ACNotify - ACNotify.dll
    Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
    Notify: igfxcui - igfxdev.dll
    LSA: Notification Packages = scecli ACGina
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-9-21 25968]
    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2011-3-29 20592]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-20 442200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-20 320856]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-9-21 13680]
    R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-20 20568]
    R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-26 1676536]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-20 44768]
    R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-9-21 292200]
    R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-26 98304]
    R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-10-26 118784]
    R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2010-10-25 145920]
    R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-10-26 69632]
    R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\thinkpad\utilities\PWMEWSVC.exe [2011-9-21 148840]
    R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-9-21 130920]
    R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-9-23 64952]
    R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-14 520192]
    R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 360448]
    R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-10-26 2058776]
    R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [2010-10-26 72448]
    R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2010-10-26 482176]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-10-26 241880]
    R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2010-10-26 23080]
    R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-6 136176]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-9-21 45496]
    S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-26 106496]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-6 136176]
    S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [2011-5-11 20504]
    S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [2011-5-11 21528]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-11-21 01:30:09 -------- d-----w- c:\documents and settings\chris janien\application data\Malwarebytes
    2011-11-21 01:29:45 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-11-21 01:29:41 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-21 01:29:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-20 23:32:16 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-11-20 23:32:07 41184 ----a-w- c:\windows\avastSS.scr
    2011-11-20 23:31:56 -------- d-----w- c:\program files\AVAST Software
    2011-11-20 23:31:56 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    .
    ==================== Find3M ====================
    .
    2011-10-19 18:14:06 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-22 03:15:05 73728 ------w- c:\windows\system32\javacpl.cpl
    2011-09-22 03:15:05 472808 ------w- c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 22:06:54.48 ===============
     
  9. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    One line in the DDS.TXT file would not load for some reason so I have parsed it out.
     
  10. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Re ran GMER

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-11-21 02:14:17
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.FC2Z
    Running: ucjzuyfi.exe; Driver: C:\DOCUME~1\CHRISJ~1\LOCALS~1\Temp\ugtdipog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0x99BC5D5A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0x99BC5BC5]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x99C1D9A6]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)
    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! It would have been easier for you-and me- if you pasted as much of a log that could fit in a post instead of pieces of it. I'm going to try to get it together. will be back.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please don't string the logs out like you did with DDS. I have edited the posts and added most of the DDS.txt sections together, with the remainder in the following post.

    I cannot tell at this point if the system is clean. There were Worms and rogue software programs found. Why couldn't you paste in the Attach.txt log from DDS?

    Are all the entries for the Citrix XenApp (formerly Citrix MetaFrame Server and Citrix Presentation Server) set up intentionally and are they all necessary? The multiple filter entries are Name(s): application/x-ica, ica
    Filename: IcaMimeFilter.dll
    =====================================================
    Please let me know about the Attach.txt problem.
    =====================================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =========================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================

    It would be helpful for you to tell me what problems were being caused, not just that you had malware.
     
  13. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Hi Bobbye,

    Sorry about the multiple posts of GMER and thank you for condensing my posts.

    The reason for the multiple posts of GMER is that one line of the log was stopping my upload to Techspot. I kept getting an error saying I had 7 graphics in the upload and was only allowed 6. The only way to figure out where the problem was was to parse the file and send it in pieces. Fortunately the multiple GMER msgs are in sequence.

    Also on my first run of GMER I got a log file that was 500,000+ characters. It was too big to upload as Techspot would only take 50,000. I think I may have caused that problem by hitting the "scan" button once GMER opened. You might want make the FAQ a little clearer on that point.

    The ATTACH.TXT does not exist. I've done several searchs of the entire disk and could not find the file. Even searching by create date, in case I had the name wrong, did not find anything. Should I rerun DDS? Where does DDS place the ATTACH.TXT file?

    The Citrix programs are necessary for accessing a cloud program and database. IcaMimeFilter.dll is part of the Citrix package as it is sitting in the Citrix directory.

    I will run the additional programs as you have instructed and post the results unless you need me to run DDS first to get a new ATTACH.TXT file.

    Thanks for all of your help,

    Chris

    PS do you want to see the one GMER line in that log that caused the upload problem?
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You should not have had any images (graphics) in the logs. Don't put any 'Smileys' in the post. We have increased the allowed character limit- this is usually enough to hold the prelim. logs. But another post can be used if needed.

    There is a
    right above "Post the log." If a member overlooks that and does 'show all', it will generate a huge, multi-post log. Perhaps that's what happened to you. I don't need that last line now.

    I guess you did a search for Attach.txt in the system. If you cannot find it, please run DDS again. Just paste in the Attach.exe log- I don't need the other one again. Please ignore the instruction to 'not post unless asked' and to 'zip'- just paste it in. The log you fragmented that I edited together was for a large section of the DDS.txt log.

    Please paste the Attach.txt log in first. Follow that with the log from the Eset online virus scan.

    Just so you don't run into the problem again, go ahead to another reply for the Combofix log. There is sometimes a section in the middle of the log which can make it lengthy, but I can't predict that. If you do need to split that logs, split at the end of a section, not in the middle.

    No problem with Citrix. Just being on the safe side.
     
  15. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    ATTACH.TXT

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/26/2010 9:31:15 PM
    System Uptime: 11/21/2011 9:48:39 AM (5 hours ago)
    .
    Motherboard: LENOVO | | 7454CTO
    Processor: Intel Pentium III Xeon processor | None | 2393/266mhz
    Processor: Intel Pentium III Xeon processor | None | 2394/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 142 GiB total, 115.388 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) Active Management Technology - SOL
    Device ID: PCI\VEN_8086&DEV_2A47&SUBSYS_20EC17AA&REV_07\3&B1BFB68&0&1B
    Manufacturer: Intel
    Name: Intel(R) Active Management Technology - SOL (COM4)
    PNP Device ID: PCI\VEN_8086&DEV_2A47&SUBSYS_20EC17AA&REV_07\3&B1BFB68&0&1B
    Service: Serial
    .
    ==== System Restore Points ===================
    .
    RP152: 8/24/2011 12:03:07 PM - System Checkpoint
    RP153: 8/25/2011 5:29:14 PM - System Checkpoint
    RP154: 8/29/2011 12:14:55 PM - System Checkpoint
    RP155: 8/30/2011 8:20:59 PM - System Checkpoint
    RP156: 9/1/2011 3:50:05 PM - System Checkpoint
    RP157: 9/3/2011 12:45:38 AM - System Checkpoint
    RP158: 9/4/2011 4:21:37 AM - System Checkpoint
    RP159: 9/5/2011 8:21:37 AM - System Checkpoint
    RP160: 9/6/2011 12:04:17 PM - System Checkpoint
    RP161: 9/8/2011 8:48:28 PM - System Checkpoint
    RP162: 9/11/2011 5:46:08 PM - System Checkpoint
    RP163: 9/12/2011 6:00:14 PM - Removed HP Update.
    RP164: 9/21/2011 11:11:01 PM - Removed Adobe Reader 8.2.6
    RP165: 9/21/2011 11:14:58 PM - Installed Java(TM) 6 Update 26
    RP166: 9/21/2011 11:50:00 PM - Installed ThinkPad Power Management Driver
    RP167: 9/22/2011 12:24:12 AM - Installed Power Manager
    RP168: 9/22/2011 12:25:20 AM - Installed Message Center
    RP169: 9/22/2011 2:25:45 AM - Software Distribution Service 3.0
    RP170: 10/7/2011 4:12:29 PM - System Checkpoint
    RP171: 10/8/2011 3:00:12 AM - Software Distribution Service 3.0
    RP172: 10/9/2011 6:26:29 PM - System Checkpoint
    RP173: 10/10/2011 8:31:16 PM - System Checkpoint
    RP174: 10/11/2011 11:10:03 PM - System Checkpoint
    RP175: 10/12/2011 10:53:34 AM - Software Distribution Service 3.0
    RP176: 10/13/2011 11:27:09 AM - System Checkpoint
    RP177: 10/14/2011 11:21:14 PM - Configured Presentation Director
    RP178: 10/14/2011 11:21:48 PM - Installed EasyEject Utility
    RP179: 10/14/2011 11:22:32 PM - Installed ThinkVantage Access Connections
    RP180: 10/14/2011 11:23:21 PM - Installed ThinkPad Keyboard Customizer Utility
    RP181: 10/14/2011 11:24:02 PM - Installed Access Help
    RP182: 10/14/2011 11:24:41 PM - Installed Help Center
    RP183: 10/16/2011 10:27:37 PM - System Checkpoint
    RP184: 10/20/2011 12:34:20 AM - System Checkpoint
    RP185: 10/21/2011 8:53:37 AM - System Checkpoint
    RP186: 10/24/2011 4:54:29 PM - System Checkpoint
    RP187: 10/25/2011 9:26:18 PM - System Checkpoint
    RP188: 10/26/2011 9:49:49 PM - System Checkpoint
    RP189: 10/27/2011 10:49:49 PM - System Checkpoint
    RP190: 10/29/2011 4:32:29 PM - System Checkpoint
    RP191: 10/30/2011 5:12:27 PM - System Checkpoint
    RP192: 10/31/2011 11:18:34 PM - System Checkpoint
    RP193: 11/2/2011 12:16:09 AM - System Checkpoint
    RP194: 11/3/2011 11:40:07 AM - System Checkpoint
    RP195: 11/4/2011 2:58:11 PM - System Checkpoint
    RP196: 11/5/2011 6:46:48 PM - System Checkpoint
    RP197: 11/6/2011 6:38:07 PM - System Checkpoint
    RP198: 11/7/2011 7:04:39 PM - System Checkpoint
    RP199: 11/9/2011 4:58:01 PM - System Checkpoint
    RP200: 11/10/2011 9:53:08 AM - Software Distribution Service 3.0
    RP201: 11/13/2011 10:58:06 PM - System Checkpoint
    RP202: 11/15/2011 10:50:21 AM - System Checkpoint
    RP203: 11/16/2011 11:31:05 PM - System Checkpoint
    RP204: 11/18/2011 7:46:28 PM - System Checkpoint
    RP205: 11/20/2011 6:31:56 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Access Help
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.3.1
    avast! Free Antivirus
    Camera Center
    CCleaner
    Citrix online plug-in - web
    Citrix online plug-in (DV)
    Citrix online plug-in (HDX)
    Citrix online plug-in (USB)
    Citrix online plug-in (Web)
    Client Security - Password Manager
    Conexant 20561 SmartAudio HD
    Design Manager Professional 5.0
    Google Chrome
    Google Toolbar for Firefox
    Google Toolbar for Internet Explorer
    Google Update Helper
    Help Center
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB889816)
    Hotfix for Windows XP (KB893357)
    Hotfix for Windows XP (KB894686)
    Hotfix for Windows XP (KB896256)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB898456)
    Hotfix for Windows XP (KB903250)
    Hotfix for Windows XP (KB909095)
    Hotfix for Windows XP (KB909667)
    Hotfix for Windows XP (KB910728)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB916189)
    Hotfix for Windows XP (KB917332)
    Hotfix for Windows XP (KB918005)
    Hotfix for Windows XP (KB918837)
    Hotfix for Windows XP (KB923293)
    Hotfix for Windows XP (KB928388)
    Hotfix for Windows XP (KB929120)
    Hotfix for Windows XP (KB934205)
    Hotfix for Windows XP (KB935192)
    Hotfix for Windows XP (KB949483)
    Hotfix for Windows XP (KB949764)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    HP LaserJet Professional CM1410 Series
    HP LJ CM1410 MFP Series HP Scan
    HP Update
    HPLaserJetHelp_LearnCenter
    HPLJUT
    hppCM1410LaserJetService
    hppFaxDrvCM1410
    hppFaxUtilityCM1410
    hppLaserJetService
    hppSendFaxCM1410
    hppTLBXFXCM1410
    hpzTLBXFX
    I.R.I.S. OCR
    Integrated Camera Driver Installer Package Ver.1.18.500.0
    Integrated Camera TWAIN
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Interface
    Intel(R) Network Connections Drivers
    Intel(R) PROSet/Wireless WiFi Software
    Intel® Active Management Technology
    Intel® Trusted Platform Module
    J2SE Runtime Environment 5.0 Update 16
    Java Auto Updater
    Java(TM) 6 Update 26
    Lenovo Auto Scroll Utility
    Lenovo Fingerprint Software
    Lenovo Registration
    Lenovo System Interface Driver
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Marketsplash Shortcuts
    Message Center
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 SR-1 Professional
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mobile Broadband Connect
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    On Screen Display
    PC-Doctor 5 for Windows
    Presentation Director
    Productivity Center Supplement for ThinkPad
    Rescue and Recovery
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Skype™ 5.0
    Spybot - Search & Destroy
    System Migration Assistant
    System Update
    ThinkPad Bluetooth with Enhanced Data Rate Software
    ThinkPad EasyEject Utility
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Integration Setup
    ThinkPad Hotkey Features Setup
    ThinkPad Keyboard Customizer Utility
    ThinkPad Modem Adapter
    ThinkPad PC Card Power Policy
    ThinkPad Power Management Driver
    ThinkPad Power Manager
    ThinkPad TrackPoint Driver
    ThinkVantage Access Connections
    ThinkVantage Active Protection System
    ThinkVantage Productivity Center
    ThinkVantage Technologies Welcome Message
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB912945)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Verizon Wireless BroadbandAccess Self Activation
    Wallpapers
    WebFldrs XP
    Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (10/02/2008 8.1.2.37)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Live Toolbar
    Windows Media Connect
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883517
    Windows XP Hotfix - KB883523
    Windows XP Hotfix - KB884020
    Windows XP Hotfix - KB884575
    Windows XP Hotfix - KB884868
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885855
    Windows XP Hotfix - KB885894
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888239
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB889315
    Windows XP Hotfix - KB889673
    Windows XP Hotfix - KB890047
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB896613
    XP Themes
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/20/2011 7:00:36 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 12 time(s).
    11/20/2011 7:00:00 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 11 time(s).
    11/20/2011 6:58:27 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 10 time(s).
    11/20/2011 6:55:36 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 9 time(s).
    11/20/2011 6:54:35 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 8 time(s).
    11/20/2011 6:53:47 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 7 time(s).
    11/20/2011 6:52:57 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 6 time(s).
    11/20/2011 6:52:24 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 5 time(s).
    11/20/2011 6:51:46 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 4 time(s).
    11/20/2011 5:42:35 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
    11/20/2011 5:39:09 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    11/20/2011 5:38:24 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'serial.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    11/20/2011 5:38:22 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/20/2011 5:36:23 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Print Spooler service to connect.
    11/20/2011 5:36:23 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/20/2011 5:35:23 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/18/2011 6:21:04 PM, error: Dhcp [1002] - The IP address lease 192.168.1.118 for the Network Card with network address 00216A33492C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
     
  16. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Duplicate post
     
  17. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    ESET Online Scanner did not find anything.



    ComboFix 11-11-21.01 - Chris Janien 11/21/2011 18:30:26.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3032.2503 [GMT -5:00]
    Running from: c:\doc\Download\Combofix\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Hawkins\Application Data\.#
    c:\windows\$NtUninstallKB48551$
    c:\windows\$NtUninstallKB48551$\3677382295\@
    c:\windows\$NtUninstallKB48551$\3677382295\bckfg.tmp
    c:\windows\$NtUninstallKB48551$\3677382295\cfg.ini
    c:\windows\$NtUninstallKB48551$\3677382295\Desktop.ini
    c:\windows\$NtUninstallKB48551$\3677382295\kwrd.dll
    c:\windows\$NtUninstallKB48551$\3677382295\L\hvmonmrs
    c:\windows\$NtUninstallKB48551$\3677382295\lsflt7.ver
    c:\windows\$NtUninstallKB48551$\3677382295\U\00000001.@
    c:\windows\$NtUninstallKB48551$\3677382295\U\00000002.@
    c:\windows\$NtUninstallKB48551$\3677382295\U\00000004.@
    c:\windows\$NtUninstallKB48551$\3677382295\U\80000000.@
    c:\windows\$NtUninstallKB48551$\3677382295\U\80000004.@
    c:\windows\$NtUninstallKB48551$\3677382295\U\80000032.@
    c:\windows\$NtUninstallKB48551$\3711939319
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-21 23:07 . 2011-11-21 23:08 -------- d-----w- C:\rei
    2011-11-21 23:07 . 2011-11-21 23:07 -------- d-----w- c:\program files\Reimage
    2011-11-21 01:30 . 2011-11-21 01:30 -------- d-----w- c:\documents and settings\Chris Janien\Application Data\Malwarebytes
    2011-11-21 01:29 . 2011-11-21 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-11-21 01:29 . 2011-11-21 01:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-21 01:29 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-20 23:33 . 2011-11-20 23:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-11-20 23:32 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-11-20 23:32 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-11-20 23:32 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-11-20 23:32 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-11-20 23:32 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-11-20 23:32 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-11-20 23:32 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-11-20 23:32 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-11-20 23:32 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
    2011-11-20 23:32 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-11-20 23:31 . 2011-11-20 23:31 -------- d-----w- c:\program files\AVAST Software
    2011-11-20 23:31 . 2011-11-20 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-19 18:14 . 2011-09-22 03:44 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-22 03:15 . 2011-09-22 03:15 73728 ------w- c:\windows\system32\javacpl.cpl
    2011-09-22 03:15 . 2011-09-22 03:15 472808 ------w- c:\windows\system32\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-07 39408]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
    "picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
    "TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-03-26 62312]
    "TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-09-29 93472]
    "TpShocks"="TpShocks.exe" [2011-03-29 337256]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
    "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-08 165208]
    "LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-08 124248]
    "AMSG"="c:\progra~1\THINKV~1\AMSG\Amsg.exe" [2009-09-03 436800]
    "CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2008-08-12 16384]
    "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2011-07-04 800104]
    "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2011-07-04 208896]
    "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2011-04-14 431464]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2011-04-14 189800]
    "cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-14 3073336]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
    "ToolboxFX"="c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
    "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-13 136216]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-13 170008]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-13 145432]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-3-28 596584]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-10-26 50688]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
    2008-10-27 01:41 180224 ------w- c:\windows\system32\FpWinlogonNp.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\HP\\csiInstaller\\0EF0EA0D-F945-4958-85CC-60FF1E86D216\\Installer\\hpbcsiInstaller.exe"=
    .
    R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [9/21/2011 11:24 PM 25968]
    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/29/2011 6:12 PM 20592]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/20/2011 6:32 PM 442200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/20/2011 6:32 PM 320856]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 11:51 AM 65584]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/21/2011 10:50 PM 13680]
    R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 7:50 AM 46144]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/20/2011 6:32 PM 20568]
    R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [10/26/2008 8:33 PM 1676536]
    R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [9/21/2011 11:24 PM 292200]
    R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [10/26/2008 8:38 PM 98304]
    R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [10/26/2008 8:41 PM 118784]
    R2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [10/25/2010 1:53 PM 145920]
    R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/26/2010 8:20 PM 69632]
    R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.exe [9/21/2011 11:24 PM 148840]
    R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [9/21/2011 10:50 PM 130920]
    R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/23/2008 9:20 PM 64952]
    R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 6:25 PM 520192]
    R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 7:50 AM 360448]
    R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/26/2010 8:03 PM 2058776]
    R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [10/26/2010 8:06 PM 72448]
    R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [10/26/2010 8:12 PM 482176]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [10/26/2010 7:51 PM 241880]
    R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [10/26/2010 8:06 PM 23080]
    R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 5:54 PM 37312]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/6/2010 10:06 PM 136176]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/21/2011 10:50 PM 45496]
    S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [10/26/2008 8:38 PM 106496]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/6/2010 10:06 PM 136176]
    S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [5/11/2011 11:37 PM 20504]
    S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [5/11/2011 11:37 PM 21528]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-21 c:\windows\Tasks\At2.job
    - c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
    .
    2011-11-21 c:\windows\Tasks\At3.job
    - c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
    .
    2011-11-21 c:\windows\Tasks\At4.job
    - c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
    .
    2011-11-10 c:\windows\Tasks\At5.job
    - c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
    .
    2011-11-21 c:\windows\Tasks\At6.job
    - c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
    .
    2011-11-19 c:\windows\Tasks\At7.job
    - c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
    .
    2011-11-21 c:\windows\Tasks\At8.job
    - c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
    .
    2011-11-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]
    .
    2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 03:06]
    .
    2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 03:06]
    .
    2011-11-21 c:\windows\Tasks\PMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-10-27 05:39]
    .
    2011-11-21 c:\windows\Tasks\Reimage Reminder.job
    - c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-11-07 12:51]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 68.87.71.230
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-ACNotify - ACNotify.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-21 18:55
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1016)
    c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
    c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
    c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
    c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
    c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
    c:\windows\system32\FpWinLogonNp.dll
    c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
    c:\program files\Lenovo Fingerprint Software\SharedResources.dll
    c:\program files\Lenovo Fingerprint Software\FPResource.dll
    c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll
    c:\program files\Lenovo\Client Security Solution\css_banner.dll
    c:\windows\system32\cssuserdatadispatcher.dll
    c:\windows\system32\tvttsp.dll
    c:\windows\system32\tcsrpc.dll
    .
    - - - - - - - > 'explorer.exe'(5444)
    c:\windows\system32\WININET.dll
    c:\windows\system32\btmmhook.dll
    c:\windows\system32\MSCTF.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    c:\program files\Intel\WiFi\bin\S24EvMon.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Intel\AMT\LMS.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    c:\windows\system32\TpKmpSVC.exe
    c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
    c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\lenovo\system update\suservice.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\LENOVO\HOTKEY\tposdsvc.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\program files\Lenovo\HOTKEY\TPONSCR.exe
    c:\program files\Lenovo\Zoom\TpScrex.exe
    c:\windows\system32\TpShocks.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
    c:\windows\system32\igfxext.exe
    c:\program files\Citrix\ICA Client\wfcrun32.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Microsoft Office\Office\1033\msoffice.exe
    c:\progra~1\ThinkPad\UTILIT~1\SCHTASK.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-21 18:59:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-21 23:59
    .
    Pre-Run: 123,865,833,472 bytes free
    Post-Run: 124,202,110,976 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 490F0DD9E4F375797A30AC734EB4E1D5
     
  18. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Bobbye,

    I did get a notification from Combofix that Rootkit.ZeroAccess was inserted in to TCP/IP stack and then again that RootKit detected.

    Not happy about this. I appreciate your help.

    Chris
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Remove Zero.Access

    I just put this together and haven't had time to do all the formatting yet, but what you need is here:
    Determine if you are infected with Zero.Access

    1. Open the Task Manager by pressing Ctrl + Shift + Esc on your keyboard or by right-clicking the Start Menu bar and selecting Task Manager.

    2. Be sure that "Show processes from all users" is selected at the bottom left-hand corner of the window. Click "Image Name" to sort this column alphabetically and then look at the top of the list.

    If you are infected with the Zero.Access rootkit, you will see a running process such as "1077238835:3433286335.exe" (example only; your computer may display different numbers).

    ESET has provided a stand-alone malware removal tool to remove this particularly resilient threat. Follow the steps below.

    1. Download, save and run the 'Win32/Sirefef' stand-alone malware removal tool while in Normal Mode and follow the prompts as directed.
    2. Restart your computer into Safe Mode with Networking after running the stand-alone tool.
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
    3. Run the ESET Online Scanner while in Safe Mode with Networking.

    If you receive an error during any part of the process, locate the ESET Online Scanner program by clicking Start Control Panel Add/Remove Programs and remove it from your system. Run the scan again by double-clicking the esetsmartinstaller.exe installer you downloaded before. No restart is necessary after running the ESET Online Scanner.

    4. Once the machine is clean and while still in Safe Mode with Networking, run the ESET Uninstaller. Follow the instructions by clicking the following link:

    Windows Vista/Home Server/XP/2003 R2/2003/2000

    5. The infection should be removed. Restart your computer normally.

    Please let me know how this goes.

    Combofix has removed one of the related entries.
    =============================================
    To anyone who may be reviewing this thread: Note: These directions are only for the member who started this thread. Do not attempt to run this on your own.
     
  20. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Did not see the ZeroAccess process running in the task manager. Should I run any other routines or cleanup?
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Catching up! Combofix may have removed the only entries remaining.

    But I'd like you to Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ===========================================
    There are other entries that need to be removed. I'm writing script for you to run through Combofix. Go ahead and run the Mbam full scan while I'm doing it.I'll be returning shortly.
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I just noticed this recent install:

    2011-11-21 23:07 -------- d-----w- c:\program files\Reimage
    2011-11-21 23:08 -------- d-----w- C:\rei>> is this a directory for Reimage?
    ------------------------------------------------------
    If you have not paid for this costly program yet and have a Trial Period, I recommend that you uninstall it:
    Description and rating from PC magazine:
    Regardless of whether you decide to keep it or not, please disable it if it is running in the background. Please don't install any more new programs while I am helping you.
     
  23. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Thanks for pointing out Reimage. While trying to download Combofix, I clicked on the wrong download link and got Reimage. Thought the install file was just sitting in my download directory. Didn't subscribe and didn't run it.

    Just uninstalled Reimage. Updated and running Malwarebytes now.

    Did not hear from you for four days so thought we were done. I did some research on zero.access -- nasty piece of code! Marco Giuliani of webroot wrote a good white paper about the malware. Ran Webroot's zero.access routine and nothing was found. Also FYI the pc has been used for email and web browsing with no problems -- so far.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8254

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    11/27/2011 8:07:53 PM
    mbam-log-2011-11-27 (20-07-53).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 248171
    Time elapsed: 27 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You asked about cause and protection from malware. I'll give you some security info and ideas of how the malware got on the system when we finish.
    =============================
    Run command for delete At.job first

    • Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

      Code:
      
      del /a/f/q "C:\WINDOWS\Tasks\At*.job"
      
    • Save this as delete.bat and choose to Save as type: - All Files
    • Close the Notepad file.
    • Double-click on delete.batIt should look like this:[​IMG]
    • Allow it to run. Please delete the file afterwards.
    ===============================
    Some of the Scheduled Tasks can't be removed in the Command above, but I would encourage you to stop these also:
    1. c:\windows\Tasks\Check Updates for Windows Live Toolbar.job (set in 2007)
    2. c:\windows\Tasks\PMTask.job (set 2010 from ThinkPad)
    3. c:\windows\Tasks\Reimage Reminder.job
    --------------------
    Scheduled Tasks
    Most of these found are usually auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only[/b[ auto-update I get is for the AV program.

    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    To change the settings for a task: right-click the Task> click Properties> do any of the following:
    1. To change the schedule for the task, click the Schedule tab.
    2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
    3. To delete a task> right-click the task> click Delete.
    4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.

    Maintenance Scheduled Tasks such as defrag are in a separate category.
    ======================================
    Question: Have you ever check the Lenova/ThinkPad processes to see if you need/want/use them all? You have a great number of processes running that were pre-loaded on the system. Most times, the user doesn't realize some are using resources needlessly and can be stopped/rest set to Manual or uninstalled all together.

    At this point, that company is running your system-not you. Are you comfortable with that?
    =======================================
    Other than the Tasks I brought to your attention, you don't need to run any script. I will reserve the status however until I see the Mbam full scan.
    ======================================
    Two of the three malwares were from unsafe email practices: See Safe Email Handling, #8 below

    1. Name: RTHDBPL>> Added by the Troj/Mdrop-CKT

    This Trojan arrives as attachment to email messages spammed by another malware or a malicious user.

    It may be dropped by other malware and may be downloaded unknowingly by a user when visiting malicious Web site(s).

    It takes advantage of a known vulnerability in Microsoft Excel that allows remote code execution. More information on the said vulnerability is available in the following Microsoft Web page:http://technet.microsoft.com/en-us/security/bulletin/MS08-014

    2. Name: Worm:Win32/Prolaco.M
    Methods of propagation:
    Email
    • Peer to Peer

    Side effects:
    • Lowers security settings
    • Downloads malicious files
    • Drops malicious files
    • Registry modification
    Firefox Extension: Side effects:
    • Lowers security settings
    • Downloads malicious files
    • Drops malicious files
    • Registry modification
    (may show as Trojan:Win32/Dursg.E CLSID: {9CE11043-9A15-4207-A565-0C94C42D590D}

    If this was received via email, most likely at least one user opened the email attachment. Once machines are infected this risk does attempt to spread through networks to other systems.

    3. (Rogue.PrvacyProtect) aliases Trojan/Win32.FakeAV TR/Crypt.ZPACK.Gen2
    http://ezinearticles.com/?Privacy-Protection---A-New-Member-in-the-Family-of-Rogues&id=6677711
    ==========================================
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
    =============================
     
  25. cjanien

    cjanien TS Booster Topic Starter Posts: 117

    Wow! That is a great list of tips! Thank you very much.

    You mention Worm:Win32/Prolaco.M as spreading thru a network. What should I do with my other PCs (XP, Vista, W7 opsys) that are on my LAN? Is MBAM sufficient?

    Second, is it better to move to Win7? My tech says Win7 and MS Defender(?) are not easily infected. Is 64-bit opsys better to use than 32-bit? Looks like zero.access is a 32-bit only malware.

    Finally, I will go thru the Lenovo processes. When I pull up the task manager I am always amazed at the number of items running. Problem is the names are so cryptic I don't know what they are. I've started to use msconfig to view the startup programs, but can't I have additional programs started by commands in the registry file? How do I handle that?

    Again, thank you so much for your help. You guys have created a site that I find indispensable.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...