TechSpot

Security sphere 2012 - help

By ads1978
Dec 21, 2011
  1. my wife's laptop is infected. I did a few things already, one of which maybe I should have waited for.
    1. I ran rkill - had to use jump drive to get on computer since internet isn't working.
    2. ran malwarebytes. picked up one infected file. I removed selected and restarted like it asked me to. Upon restart, virus was still there.
    3. ran rkill again. had hard time as avast was trying to open it in the sandbox. Got it open and running again.
    4. ran combofix. i know i should have waited, but did not see that part until now. that is why i am e-mailing.
    5. final issue facing is no internet. i did this before running combofix. could not obtain ip address. could not repair connection. says that rps server is unavailable. went to services.msc. found rps server was stopped, so i restarted it. still nothing.

    here is the log from combofix
    ComboFix 11-12-20.04 - Jodie 12/20/2011 23:00:06.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1092 [GMT -5:00]
    Running from: c:\documents and settings\Jodie\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\Jodie\g2mdlhlpx.exe
    c:\documents and settings\Jodie\WINDOWS
    c:\windows\$NtUninstallKB976$
    c:\windows\$NtUninstallKB976$\1030500595
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\TPAPSLOG.LOG
    c:\windows\system32\TPHDLOG0.LOG
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_.afd
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-21 to 2011-12-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-21 03:42 . 2011-12-21 03:42 388096 ----a-r- c:\documents and settings\Jodie\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-12-21 03:42 . 2011-12-21 03:42 -------- d-----w- c:\program files\Trend Micro
    2011-12-01 01:18 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-28 18:01 . 2010-11-29 05:11 41184 ----a-w- c:\windows\avastSS.scr
    2011-11-28 18:01 . 2010-11-29 05:11 199816 ----a-w- c:\windows\system32\aswBoot.exe
    2011-11-28 17:53 . 2010-11-29 05:12 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-11-28 17:52 . 2010-11-29 05:11 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-11-28 17:52 . 2010-11-29 05:11 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-11-28 17:52 . 2010-11-29 05:11 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-11-28 17:51 . 2010-11-29 05:11 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-11-28 17:51 . 2010-11-29 05:12 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-11-28 17:48 . 2010-11-29 05:11 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-11-23 13:25 . 2001-08-23 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-04 19:20 . 2004-01-08 19:23 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2006-09-11 20:01 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:33 . 2001-08-23 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2001-08-17 13:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-18 11:13 . 2004-08-04 07:56 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-10-17 08:28 . 2011-10-17 08:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2006-09-12 06:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2002-09-23 19:10 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-02-10 01:11 . 2011-02-10 01:11 289592 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-10 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-10 512000]
    "TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
    "TP4EX"="tp4ex.exe" [2005-10-17 65536]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-11-21 385024]
    "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]
    "TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
    "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-10-27 425984]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-10-27 143360]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
    "TpShocks"="TpShocks.exe" [2007-03-29 181808]
    "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-07-05 110592]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
    "pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2010-03-18 614400]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-23 273544]
    "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 03:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 00:16 24576 ----a-w- c:\windows\system32\tphklock.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 4:47 PM 19760]
    R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [9/12/2006 9:01 AM 14848]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/30/2011 8:18 PM 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/29/2010 12:12 AM 314456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/29/2010 12:12 AM 20568]
    R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [2/25/2009 10:27 AM 53248]
    R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [9/12/2006 9:01 AM 6528]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/12/2011 2:18 PM 136176]
    S2 mrtRate;mrtRate; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/12/2011 2:18 PM 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-12 19:18]
    .
    2011-12-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-12 19:18]
    .
    2011-12-21 c:\windows\Tasks\PMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-12 15:56]
    .
    2011-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3675634383-3349631176-4245736006-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
    .
    2011-12-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3675634383-3349631176-4245736006-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {B3DACDE8-18DE-44BB-B779-8D195646000B} - hxxp://gsihjw01/WAAdvantageDashboard/cab/HJSDTPicker.CAB
    FF - ProfilePath - c:\documents and settings\Jodie\Application Data\Mozilla\Firefox\Profiles\jf1q7nsn.default\
    FF - prefs.js: browser.startup.homepage - google.com
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-iJ21800DgHhL21800 - c:\documents and settings\All Users\Application Data\iJ21800DgHhL21800\iJ21800DgHhL21800.exe
    Notify-ACNotify - ACNotify.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-21 00:02
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\windows\system32\TPAPSLOG.LOG 256 bytes
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(956)
    c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
    c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
    c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
    c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\tphklock.dll
    .
    - - - - - - - > 'explorer.exe'(3132)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    c:\windows\System32\TPHDEXLG.exe
    c:\windows\system32\TpKmpSVC.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\lenovo\system update\suservice.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\windows\system32\rundll32.exe
    c:\program files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    c:\windows\system32\TpShocks.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
    c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
    c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
    c:\progra~1\ThinkPad\UTILIT~1\PWMUIAux.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-21 00:13:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-21 05:13
    .
    Pre-Run: 31,717,969,920 bytes free
    Post-Run: 32,632,905,728 bytes free
    .
    - - End Of File - - DD893DC27B66C7BBB13C7BA0505D3E1D


    I am at the end of my wits here. i can't get the internet to work for anything. please help me.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================================

    Never run Combofix on your own!
     
  3. ads1978

    ads1978 TS Rookie Topic Starter

    SOLVED - Thank you!

    All fixed! I was at wits end before I got your reply, and did something else. I had read somewhere online about a corrput registry key that was blocking my internet from working. I located HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD which had no values set for it. I exported it from my clean machine and imported it into the one that had no internet. Rebooted the machine and was working like new! Ran some more scans that you recommended to make sure virus was all gone.
    I will keep the link you in case it happens again (although I hope it doesn't).

    I must say though that these boards really gave me a great deal of information. I did some things I probably shouldn't have done, but that was before I found these boards.

    Thanks again.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Usually such kind of situation happens for a reason.
    I'd strongly suggest you follow my previous reply and post required logs.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...