Inactive PC infected - ran 5 steps - is PC clean?

cjanien

Posts: 159   +0
Hi,

My wife's computer was infected with malware/virus. I have used Spybot with nothing found. I then went through the 5 step process in the FAQ downloading and running Malwarebytes, GMER, and DDS. It looks like these routines found problems. Below are the logs for the 3 programs.

I would like to know if the PC is now "disinfected" and is there any way to know the source of the virus so that it can be avoided. What should I be running to avoid future infection (PC is running XP but advise on W7 would be helpful too).

Thanks,

Chris

Malwarebytes log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8203

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/20/2011 8:54:36 PM
mbam-log-2011-11-20 (20-54-36).txt

Scan type: Quick scan
Objects scanned: 208813
Time elapsed: 15 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Agent) -> Value: RTHDBPL -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\chris janien\application data\systemproc (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Hawkins\local settings\Temp\~!#29.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Hawkins\local settings\Temp\~!#2A.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
c:\documents and settings\Hawkins\local settings\Temp\~!#2C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Hawkins\local settings\Temp\2D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\privacy.exe (Rogue.PrvacyProtect) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
 
I'm trying to post GMER.log but it is too long - 500,000+ vs 50,000 limit.

DDS.TXT will not post because there are 7 images which is over the 6 image limit. I don't understand this as I am cutting and pasting teh exact file with nothing added.

Cannot find ATTACH.TXT

How do I get there files posted?
 
Part 1 of DDS.TXT

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_16
Run by Chris Janien at 22:06:11 on 2011-11-20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3032.2113 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\DTS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\AtService.exe
C:\WINDOWS\system32\FpLogonServ.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
 
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\Amsg.exe /startup
mRun: [CameraApplicationLauncher] c:\program files\lenovo\camera center\bin\CameraApplicationLaunchpadLauncher.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [ToolboxFX] "c:\program
 
Edit to condense log in to previous post.
DDS log is continued below.

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli ACGina
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-9-21 25968]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2011-3-29 20592]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-20 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-20 320856]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-9-21 13680]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-20 20568]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-26 1676536]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-20 44768]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-9-21 292200]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-26 98304]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-10-26 118784]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2010-10-25 145920]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-10-26 69632]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\thinkpad\utilities\PWMEWSVC.exe [2011-9-21 148840]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-9-21 130920]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-9-23 64952]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-14 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 360448]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-10-26 2058776]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [2010-10-26 72448]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2010-10-26 482176]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-10-26 241880]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2010-10-26 23080]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-6 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-9-21 45496]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-26 106496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-6 136176]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [2011-5-11 20504]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [2011-5-11 21528]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-11-21 01:30:09 -------- d-----w- c:\documents and settings\chris janien\application data\Malwarebytes
2011-11-21 01:29:45 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-21 01:29:41 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 01:29:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-20 23:32:16 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-20 23:32:07 41184 ----a-w- c:\windows\avastSS.scr
2011-11-20 23:31:56 -------- d-----w- c:\program files\AVAST Software
2011-11-20 23:31:56 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
.
==================== Find3M ====================
.
2011-10-19 18:14:06 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-22 03:15:05 73728 ------w- c:\windows\system32\javacpl.cpl
2011-09-22 03:15:05 472808 ------w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 22:06:54.48 ===============
 
Re ran GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-21 02:14:17
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.FC2Z
Running: ucjzuyfi.exe; Driver: C:\DOCUME~1\CHRISJ~1\LOCALS~1\Temp\ugtdipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0x99BC5D5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0x99BC5BC5]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x99C1D9A6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----
 
Welcome to TechSpot! It would have been easier for you-and me- if you pasted as much of a log that could fit in a post instead of pieces of it. I'm going to try to get it together. will be back.
 
Please don't string the logs out like you did with DDS. I have edited the posts and added most of the DDS.txt sections together, with the remainder in the following post.

I cannot tell at this point if the system is clean. There were Worms and rogue software programs found. Why couldn't you paste in the Attach.txt log from DDS?

Are all the entries for the Citrix XenApp (formerly Citrix MetaFrame Server and Citrix Presentation Server) set up intentionally and are they all necessary? The multiple filter entries are Name(s): application/x-ica, ica
Filename: IcaMimeFilter.dll
=====================================================
Please let me know about the Attach.txt problem.
=====================================================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=========================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

It would be helpful for you to tell me what problems were being caused, not just that you had malware.
 
Hi Bobbye,

Sorry about the multiple posts of GMER and thank you for condensing my posts.

The reason for the multiple posts of GMER is that one line of the log was stopping my upload to Techspot. I kept getting an error saying I had 7 graphics in the upload and was only allowed 6. The only way to figure out where the problem was was to parse the file and send it in pieces. Fortunately the multiple GMER msgs are in sequence.

Also on my first run of GMER I got a log file that was 500,000+ characters. It was too big to upload as Techspot would only take 50,000. I think I may have caused that problem by hitting the "scan" button once GMER opened. You might want make the FAQ a little clearer on that point.

The ATTACH.TXT does not exist. I've done several searchs of the entire disk and could not find the file. Even searching by create date, in case I had the name wrong, did not find anything. Should I rerun DDS? Where does DDS place the ATTACH.TXT file?

The Citrix programs are necessary for accessing a cloud program and database. IcaMimeFilter.dll is part of the Citrix package as it is sitting in the Citrix directory.

I will run the additional programs as you have instructed and post the results unless you need me to run DDS first to get a new ATTACH.TXT file.

Thanks for all of your help,

Chris

PS do you want to see the one GMER line in that log that caused the upload problem?
 
You should not have had any images (graphics) in the logs. Don't put any 'Smileys' in the post. We have increased the allowed character limit- this is usually enough to hold the prelim. logs. But another post can be used if needed.

Also on my first run of GMER I got a log file that was 500,000+ characters. It was too big to upload as Techspot would only take 50,000. I think I may have caused that problem by hitting the "scan" button once GMER opened. You might want make the FAQ a little clearer on that point.

There is a
Warning ! Please, do not select the "Show all" checkbox during the scan.
right above "Post the log." If a member overlooks that and does 'show all', it will generate a huge, multi-post log. Perhaps that's what happened to you. I don't need that last line now.

I guess you did a search for Attach.txt in the system. If you cannot find it, please run DDS again. Just paste in the Attach.exe log- I don't need the other one again. Please ignore the instruction to 'not post unless asked' and to 'zip'- just paste it in. The log you fragmented that I edited together was for a large section of the DDS.txt log.

Please paste the Attach.txt log in first. Follow that with the log from the Eset online virus scan.

Just so you don't run into the problem again, go ahead to another reply for the Combofix log. There is sometimes a section in the middle of the log which can make it lengthy, but I can't predict that. If you do need to split that logs, split at the end of a section, not in the middle.

No problem with Citrix. Just being on the safe side.
 
ATTACH.TXT

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/26/2010 9:31:15 PM
System Uptime: 11/21/2011 9:48:39 AM (5 hours ago)
.
Motherboard: LENOVO | | 7454CTO
Processor: Intel Pentium III Xeon processor | None | 2393/266mhz
Processor: Intel Pentium III Xeon processor | None | 2394/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 142 GiB total, 115.388 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) Active Management Technology - SOL
Device ID: PCI\VEN_8086&DEV_2A47&SUBSYS_20EC17AA&REV_07\3&B1BFB68&0&1B
Manufacturer: Intel
Name: Intel(R) Active Management Technology - SOL (COM4)
PNP Device ID: PCI\VEN_8086&DEV_2A47&SUBSYS_20EC17AA&REV_07\3&B1BFB68&0&1B
Service: Serial
.
==== System Restore Points ===================
.
RP152: 8/24/2011 12:03:07 PM - System Checkpoint
RP153: 8/25/2011 5:29:14 PM - System Checkpoint
RP154: 8/29/2011 12:14:55 PM - System Checkpoint
RP155: 8/30/2011 8:20:59 PM - System Checkpoint
RP156: 9/1/2011 3:50:05 PM - System Checkpoint
RP157: 9/3/2011 12:45:38 AM - System Checkpoint
RP158: 9/4/2011 4:21:37 AM - System Checkpoint
RP159: 9/5/2011 8:21:37 AM - System Checkpoint
RP160: 9/6/2011 12:04:17 PM - System Checkpoint
RP161: 9/8/2011 8:48:28 PM - System Checkpoint
RP162: 9/11/2011 5:46:08 PM - System Checkpoint
RP163: 9/12/2011 6:00:14 PM - Removed HP Update.
RP164: 9/21/2011 11:11:01 PM - Removed Adobe Reader 8.2.6
RP165: 9/21/2011 11:14:58 PM - Installed Java(TM) 6 Update 26
RP166: 9/21/2011 11:50:00 PM - Installed ThinkPad Power Management Driver
RP167: 9/22/2011 12:24:12 AM - Installed Power Manager
RP168: 9/22/2011 12:25:20 AM - Installed Message Center
RP169: 9/22/2011 2:25:45 AM - Software Distribution Service 3.0
RP170: 10/7/2011 4:12:29 PM - System Checkpoint
RP171: 10/8/2011 3:00:12 AM - Software Distribution Service 3.0
RP172: 10/9/2011 6:26:29 PM - System Checkpoint
RP173: 10/10/2011 8:31:16 PM - System Checkpoint
RP174: 10/11/2011 11:10:03 PM - System Checkpoint
RP175: 10/12/2011 10:53:34 AM - Software Distribution Service 3.0
RP176: 10/13/2011 11:27:09 AM - System Checkpoint
RP177: 10/14/2011 11:21:14 PM - Configured Presentation Director
RP178: 10/14/2011 11:21:48 PM - Installed EasyEject Utility
RP179: 10/14/2011 11:22:32 PM - Installed ThinkVantage Access Connections
RP180: 10/14/2011 11:23:21 PM - Installed ThinkPad Keyboard Customizer Utility
RP181: 10/14/2011 11:24:02 PM - Installed Access Help
RP182: 10/14/2011 11:24:41 PM - Installed Help Center
RP183: 10/16/2011 10:27:37 PM - System Checkpoint
RP184: 10/20/2011 12:34:20 AM - System Checkpoint
RP185: 10/21/2011 8:53:37 AM - System Checkpoint
RP186: 10/24/2011 4:54:29 PM - System Checkpoint
RP187: 10/25/2011 9:26:18 PM - System Checkpoint
RP188: 10/26/2011 9:49:49 PM - System Checkpoint
RP189: 10/27/2011 10:49:49 PM - System Checkpoint
RP190: 10/29/2011 4:32:29 PM - System Checkpoint
RP191: 10/30/2011 5:12:27 PM - System Checkpoint
RP192: 10/31/2011 11:18:34 PM - System Checkpoint
RP193: 11/2/2011 12:16:09 AM - System Checkpoint
RP194: 11/3/2011 11:40:07 AM - System Checkpoint
RP195: 11/4/2011 2:58:11 PM - System Checkpoint
RP196: 11/5/2011 6:46:48 PM - System Checkpoint
RP197: 11/6/2011 6:38:07 PM - System Checkpoint
RP198: 11/7/2011 7:04:39 PM - System Checkpoint
RP199: 11/9/2011 4:58:01 PM - System Checkpoint
RP200: 11/10/2011 9:53:08 AM - Software Distribution Service 3.0
RP201: 11/13/2011 10:58:06 PM - System Checkpoint
RP202: 11/15/2011 10:50:21 AM - System Checkpoint
RP203: 11/16/2011 11:31:05 PM - System Checkpoint
RP204: 11/18/2011 7:46:28 PM - System Checkpoint
RP205: 11/20/2011 6:31:56 PM - avast! Free Antivirus Setup
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Access Help
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 8.3.1
avast! Free Antivirus
Camera Center
CCleaner
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Client Security - Password Manager
Conexant 20561 SmartAudio HD
Design Manager Professional 5.0
Google Chrome
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Update Helper
Help Center
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB889816)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB894686)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB898456)
Hotfix for Windows XP (KB903250)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB909667)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB916189)
Hotfix for Windows XP (KB917332)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB918837)
Hotfix for Windows XP (KB923293)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Hotfix for Windows XP (KB934205)
Hotfix for Windows XP (KB935192)
Hotfix for Windows XP (KB949483)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP LaserJet Professional CM1410 Series
HP LJ CM1410 MFP Series HP Scan
HP Update
HPLaserJetHelp_LearnCenter
HPLJUT
hppCM1410LaserJetService
hppFaxDrvCM1410
hppFaxUtilityCM1410
hppLaserJetService
hppSendFaxCM1410
hppTLBXFXCM1410
hpzTLBXFX
I.R.I.S. OCR
Integrated Camera Driver Installer Package Ver.1.18.500.0
Integrated Camera TWAIN
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Network Connections Drivers
Intel(R) PROSet/Wireless WiFi Software
Intel® Active Management Technology
Intel® Trusted Platform Module
J2SE Runtime Environment 5.0 Update 16
Java Auto Updater
Java(TM) 6 Update 26
Lenovo Auto Scroll Utility
Lenovo Fingerprint Software
Lenovo Registration
Lenovo System Interface Driver
Malwarebytes' Anti-Malware version 1.51.2.1300
Marketsplash Shortcuts
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobile Broadband Connect
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
On Screen Display
PC-Doctor 5 for Windows
Presentation Director
Productivity Center Supplement for ThinkPad
Rescue and Recovery
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Skype™ 5.0
Spybot - Search & Destroy
System Migration Assistant
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Integration Setup
ThinkPad Hotkey Features Setup
ThinkPad Keyboard Customizer Utility
ThinkPad Modem Adapter
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad TrackPoint Driver
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB912945)
Update for Windows XP (KB925720)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Wireless BroadbandAccess Self Activation
Wallpapers
WebFldrs XP
Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (10/02/2008 8.1.2.37)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Toolbar
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883517
Windows XP Hotfix - KB883523
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB884868
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885894
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889315
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB896613
XP Themes
.
==== Event Viewer Messages From Past Week ========
.
11/20/2011 7:00:36 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 12 time(s).
11/20/2011 7:00:00 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 11 time(s).
11/20/2011 6:58:27 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 10 time(s).
11/20/2011 6:55:36 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 9 time(s).
11/20/2011 6:54:35 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 8 time(s).
11/20/2011 6:53:47 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 7 time(s).
11/20/2011 6:52:57 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 6 time(s).
11/20/2011 6:52:24 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 5 time(s).
11/20/2011 6:51:46 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 4 time(s).
11/20/2011 5:42:35 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
11/20/2011 5:39:09 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/20/2011 5:38:24 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'serial.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/20/2011 5:38:22 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/20/2011 5:36:23 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Print Spooler service to connect.
11/20/2011 5:36:23 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/20/2011 5:35:23 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/18/2011 6:21:04 PM, error: Dhcp [1002] - The IP address lease 192.168.1.118 for the Network Card with network address 00216A33492C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
 
ESET Online Scanner did not find anything.



ComboFix 11-11-21.01 - Chris Janien 11/21/2011 18:30:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3032.2503 [GMT -5:00]
Running from: c:\doc\Download\Combofix\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Hawkins\Application Data\.#
c:\windows\$NtUninstallKB48551$
c:\windows\$NtUninstallKB48551$\3677382295\@
c:\windows\$NtUninstallKB48551$\3677382295\bckfg.tmp
c:\windows\$NtUninstallKB48551$\3677382295\cfg.ini
c:\windows\$NtUninstallKB48551$\3677382295\Desktop.ini
c:\windows\$NtUninstallKB48551$\3677382295\kwrd.dll
c:\windows\$NtUninstallKB48551$\3677382295\L\hvmonmrs
c:\windows\$NtUninstallKB48551$\3677382295\lsflt7.ver
c:\windows\$NtUninstallKB48551$\3677382295\U\00000001.@
c:\windows\$NtUninstallKB48551$\3677382295\U\00000002.@
c:\windows\$NtUninstallKB48551$\3677382295\U\00000004.@
c:\windows\$NtUninstallKB48551$\3677382295\U\80000000.@
c:\windows\$NtUninstallKB48551$\3677382295\U\80000004.@
c:\windows\$NtUninstallKB48551$\3677382295\U\80000032.@
c:\windows\$NtUninstallKB48551$\3711939319
.
.
((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
.
.
2011-11-21 23:07 . 2011-11-21 23:08 -------- d-----w- C:\rei
2011-11-21 23:07 . 2011-11-21 23:07 -------- d-----w- c:\program files\Reimage
2011-11-21 01:30 . 2011-11-21 01:30 -------- d-----w- c:\documents and settings\Chris Janien\Application Data\Malwarebytes
2011-11-21 01:29 . 2011-11-21 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-21 01:29 . 2011-11-21 01:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-21 01:29 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-20 23:33 . 2011-11-20 23:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-11-20 23:32 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-20 23:32 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-20 23:32 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-20 23:32 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-20 23:32 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-20 23:32 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-20 23:32 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-20 23:32 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-20 23:32 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-20 23:32 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-20 23:31 . 2011-11-20 23:31 -------- d-----w- c:\program files\AVAST Software
2011-11-20 23:31 . 2011-11-20 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 18:14 . 2011-09-22 03:44 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-22 03:15 . 2011-09-22 03:15 73728 ------w- c:\windows\system32\javacpl.cpl
2011-09-22 03:15 . 2011-09-22 03:15 472808 ------w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-07 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-03-26 62312]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-09-29 93472]
"TpShocks"="TpShocks.exe" [2011-03-29 337256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-08 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-08 124248]
"AMSG"="c:\progra~1\THINKV~1\AMSG\Amsg.exe" [2009-09-03 436800]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2008-08-12 16384]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2011-07-04 800104]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2011-07-04 208896]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2011-04-14 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2011-04-14 189800]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-14 3073336]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"ToolboxFX"="c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-10-25 58936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-13 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-13 170008]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-13 145432]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-3-28 596584]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-10-26 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-10-27 01:41 180224 ------w- c:\windows\system32\FpWinlogonNp.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\csiInstaller\\0EF0EA0D-F945-4958-85CC-60FF1E86D216\\Installer\\hpbcsiInstaller.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [9/21/2011 11:24 PM 25968]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/29/2011 6:12 PM 20592]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/20/2011 6:32 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/20/2011 6:32 PM 320856]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 11:51 AM 65584]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/21/2011 10:50 PM 13680]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 7:50 AM 46144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/20/2011 6:32 PM 20568]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [10/26/2008 8:33 PM 1676536]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [9/21/2011 11:24 PM 292200]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [10/26/2008 8:38 PM 98304]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [10/26/2008 8:41 PM 118784]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [10/25/2010 1:53 PM 145920]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/26/2010 8:20 PM 69632]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.exe [9/21/2011 11:24 PM 148840]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [9/21/2011 10:50 PM 130920]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/23/2008 9:20 PM 64952]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 6:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 7:50 AM 360448]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [10/26/2010 8:03 PM 2058776]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\5U875.sys [10/26/2010 8:06 PM 72448]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [10/26/2010 8:12 PM 482176]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [10/26/2010 7:51 PM 241880]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [10/26/2010 8:06 PM 23080]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 5:54 PM 37312]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/6/2010 10:06 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/21/2011 10:50 PM 45496]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [10/26/2008 8:38 PM 106496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/6/2010 10:06 PM 136176]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [5/11/2011 11:37 PM 20504]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [5/11/2011 11:37 PM 21528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-21 c:\windows\Tasks\At2.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\At3.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\At4.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-10 c:\windows\Tasks\At5.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\At6.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-19 c:\windows\Tasks\At7.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\At8.job
- c:\program files\HP\HPLJUT\HPLJUTSCH.exe [2010-09-22 12:18]
.
2011-11-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]
.
2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 03:06]
.
2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-07 03:06]
.
2011-11-21 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-10-27 05:39]
.
2011-11-21 c:\windows\Tasks\Reimage Reminder.job
- c:\program files\Reimage\Reimage Repair\ReimageReminder.exe [2011-11-07 12:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 68.87.71.230
.
- - - - ORPHANS REMOVED - - - -
.
Notify-ACNotify - ACNotify.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-21 18:55
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1016)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
.
- - - - - - - > 'explorer.exe'(5444)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\MSCTF.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\LENOVO\HOTKEY\tposdsvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
c:\windows\system32\igfxext.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft Office\Office\1033\msoffice.exe
c:\progra~1\ThinkPad\UTILIT~1\SCHTASK.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-11-21 18:59:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-21 23:59
.
Pre-Run: 123,865,833,472 bytes free
Post-Run: 124,202,110,976 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 490F0DD9E4F375797A30AC734EB4E1D5
 
Bobbye,

I did get a notification from Combofix that Rootkit.ZeroAccess was inserted in to TCP/IP stack and then again that RootKit detected.

Not happy about this. I appreciate your help.

Chris
 
Remove Zero.Access

I just put this together and haven't had time to do all the formatting yet, but what you need is here:
Determine if you are infected with Zero.Access

1. Open the Task Manager by pressing Ctrl + Shift + Esc on your keyboard or by right-clicking the Start Menu bar and selecting Task Manager.

2. Be sure that "Show processes from all users" is selected at the bottom left-hand corner of the window. Click "Image Name" to sort this column alphabetically and then look at the top of the list.

If you are infected with the Zero.Access rootkit, you will see a running process such as "1077238835:3433286335.exe" (example only; your computer may display different numbers).

ESET has provided a stand-alone malware removal tool to remove this particularly resilient threat. Follow the steps below.

1. Download, save and run the 'Win32/Sirefef' stand-alone malware removal tool while in Normal Mode and follow the prompts as directed.
2. Restart your computer into Safe Mode with Networking after running the stand-alone tool.
Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
3. Run the ESET Online Scanner while in Safe Mode with Networking.

If you receive an error during any part of the process, locate the ESET Online Scanner program by clicking Start Control Panel Add/Remove Programs and remove it from your system. Run the scan again by double-clicking the esetsmartinstaller.exe installer you downloaded before. No restart is necessary after running the ESET Online Scanner.

4. Once the machine is clean and while still in Safe Mode with Networking, run the ESET Uninstaller. Follow the instructions by clicking the following link:

Windows Vista/Home Server/XP/2003 R2/2003/2000

5. The infection should be removed. Restart your computer normally.

Please let me know how this goes.

Combofix has removed one of the related entries.
=============================================
To anyone who may be reviewing this thread: Note: These directions are only for the member who started this thread. Do not attempt to run this on your own.
 
Did not see the ZeroAccess process running in the task manager. Should I run any other routines or cleanup?
 
Catching up! Combofix may have removed the only entries remaining.

But I'd like you to Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

When scan has finished, you will see this image:
scan-finished.jpg

  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
===========================================
There are other entries that need to be removed. I'm writing script for you to run through Combofix. Go ahead and run the Mbam full scan while I'm doing it.I'll be returning shortly.
 
I just noticed this recent install:

2011-11-21 23:07 -------- d-----w- c:\program files\Reimage
2011-11-21 23:08 -------- d-----w- C:\rei>> is this a directory for Reimage?
------------------------------------------------------
If you have not paid for this costly program yet and have a Trial Period, I recommend that you uninstall it:
Description and rating from PC magazine:
Pros
Unique repair service reinstalls Windows "in place" by restoring or replacing missing or damaged Windows files. Only software of its kind.
Cons
Only repairs files that are part of the Windows OS, not Microsoft Office or other third-party files. Can turn up disturbing (but ultimately harmless) glitches.
Reimage is the only repair-in-place Windows repair service, but at $69.95 per year, you should try other solutions first.

Regardless of whether you decide to keep it or not, please disable it if it is running in the background. Please don't install any more new programs while I am helping you.
 
Thanks for pointing out Reimage. While trying to download Combofix, I clicked on the wrong download link and got Reimage. Thought the install file was just sitting in my download directory. Didn't subscribe and didn't run it.

Just uninstalled Reimage. Updated and running Malwarebytes now.

Did not hear from you for four days so thought we were done. I did some research on zero.access -- nasty piece of code! Marco Giuliani of webroot wrote a good white paper about the malware. Ran Webroot's zero.access routine and nothing was found. Also FYI the pc has been used for email and web browsing with no problems -- so far.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8254

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/27/2011 8:07:53 PM
mbam-log-2011-11-27 (20-07-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 248171
Time elapsed: 27 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
You asked about cause and protection from malware. I'll give you some security info and ideas of how the malware got on the system when we finish.
=============================
Run command for delete At.job first

  • Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

    Code:
    del /a/f/q "C:\WINDOWS\Tasks\At*.job"
  • Save this as delete.bat and choose to Save as type: - All Files
  • Close the Notepad file.
  • Double-click on delete.batIt should look like this:
    Clipboard01command.gif
  • Allow it to run. Please delete the file afterwards.
===============================
Some of the Scheduled Tasks can't be removed in the Command above, but I would encourage you to stop these also:
1. c:\windows\Tasks\Check Updates for Windows Live Toolbar.job (set in 2007)
2. c:\windows\Tasks\PMTask.job (set 2010 from ThinkPad)
3. c:\windows\Tasks\Reimage Reminder.job
--------------------
Scheduled Tasks
Most of these found are usually auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only[/b[ auto-update I get is for the AV program.

Opening scheduled tasks to modify or delete them:
Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
To change the settings for a task: right-click the Task> click Properties> do any of the following:
  1. To change the schedule for the task, click the Schedule tab.
  2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
  3. To delete a task> right-click the task> click Delete.
  4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.

Maintenance Scheduled Tasks such as defrag are in a separate category.
======================================
Question: Have you ever check the Lenova/ThinkPad processes to see if you need/want/use them all? You have a great number of processes running that were pre-loaded on the system. Most times, the user doesn't realize some are using resources needlessly and can be stopped/rest set to Manual or uninstalled all together.

At this point, that company is running your system-not you. Are you comfortable with that?
=======================================
Other than the Tasks I brought to your attention, you don't need to run any script. I will reserve the status however until I see the Mbam full scan.
======================================
I would like to know if the PC is now "disinfected" and is there any way to know the source of the virus so that it can be avoided. What should I be running to avoid future infection (PC is running XP but advise on W7 would be helpful too).

Two of the three malwares were from unsafe email practices: See Safe Email Handling, #8 below

1. Name: RTHDBPL>> Added by the Troj/Mdrop-CKT

This Trojan arrives as attachment to email messages spammed by another malware or a malicious user.

It may be dropped by other malware and may be downloaded unknowingly by a user when visiting malicious Web site(s).

It takes advantage of a known vulnerability in Microsoft Excel that allows remote code execution. More information on the said vulnerability is available in the following Microsoft Web page:http://technet.microsoft.com/en-us/security/bulletin/MS08-014

2. Name: Worm:Win32/Prolaco.M
Methods of propagation:
Email
• Peer to Peer

Side effects:
• Lowers security settings
• Downloads malicious files
• Drops malicious files
• Registry modification
Firefox Extension: Side effects:
• Lowers security settings
• Downloads malicious files
• Drops malicious files
• Registry modification
(may show as Trojan:Win32/Dursg.E CLSID: {9CE11043-9A15-4207-A565-0C94C42D590D}

If this was received via email, most likely at least one user opened the email attachment. Once machines are infected this risk does attempt to spread through networks to other systems.

3. (Rogue.PrvacyProtect) aliases Trojan/Win32.FakeAV TR/Crypt.ZPACK.Gen2
http://ezinearticles.com/?Privacy-Protection---A-New-Member-in-the-Family-of-Rogues&id=6677711
==========================================
Tips for added security and safer browsing: (Links are in Bold Blue)
  1. Browser Security
    [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
    [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
    [o] Replace the Host Files
    [o] Google Toolbar Pop Up Blocker
    [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
  2. Have layered Security:
    [o]Antivirus :(only one):Both of the following programs are free and known to be good:
    [o]Avira-AntiVir-Personal-Free-Antivirus
    [o]Avast-Free Antivirus
    [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
    [o]Comodo
    [o]Zone Alarm
  3. Antimalware: I recommend all of the following:
    [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
    [o]Spybot Search & Destroy
  4. Updates: Stay current:
    [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
    [o]Adobe Reader Install current, uninstall old.
    [o]Java Updates Install current, uninstall old.
  5. Tracking Cookies
    Reset Cookie:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
    [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
  6. Do regular Maintenance
    Clean the temporary internet files often:
    [o] Temporary File Cleaner]
    or
    [o] ATF Cleaner by Atribune
  7. Restore Points:
    [o]See System Restore Guide
  8. Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Please let me know if you find any bad link.
=============================
 
Wow! That is a great list of tips! Thank you very much.

You mention Worm:Win32/Prolaco.M as spreading thru a network. What should I do with my other PCs (XP, Vista, W7 opsys) that are on my LAN? Is MBAM sufficient?

Second, is it better to move to Win7? My tech says Win7 and MS Defender(?) are not easily infected. Is 64-bit opsys better to use than 32-bit? Looks like zero.access is a 32-bit only malware.

Finally, I will go thru the Lenovo processes. When I pull up the task manager I am always amazed at the number of items running. Problem is the names are so cryptic I don't know what they are. I've started to use msconfig to view the startup programs, but can't I have additional programs started by commands in the registry file? How do I handle that?

Again, thank you so much for your help. You guys have created a site that I find indispensable.
 
Back