Jump to content

Recommended Posts

Hi,

My Lenovo T61 running Windows XP SP2 with Norton AV and Spybot SD has been infected with malware recently. Symptoms include slow performance, frequent IE crashes and fatal process errors. I also notice that in normal mode each time IE launches, a command dialogue window opens itself before launching IE. Please see below recent HJT and MAB logs. Will really appreciate your assistance in ridding myself of this nuisance.

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:10:35, on 7/14/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.109.54:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ultimatix*;*indelm*;<local>;*.local

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: CPwmIEBrowserHelper Object - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe

O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\TCS\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\TCS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [PTOneClick] C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe

O4 - HKCU\..\Run: [VonageTalk] C:\Program Files\VonageTalk\vonagetalk.exe -b

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Air Mouse.lnk = C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\TCS\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\TCS\Start Menu\Programs\UltimateBet\UltimateBet.lnk

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.onerateld.com

O16 - DPF: {07AB92C1-242F-40C1-B3C5-323DCC7B68D2} (Siebel High Interactivity Framework) - https://crmappweb.ultimatix.net/sales/18382...x_HI_Client.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {28288D59-CEA4-466B-9A20-04AE7C686611} (Contributor Web Client Connector) - https://planning.ultimatix.net/cognos/contr...lientfull82.cab

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O16 - DPF: {CF27E6B4-C0E0-455E-A6F1-8C88004E8976} (epcInstallerConnector Class) - https://planning.ultimatix.net/cognos/contr...installer82.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://tcs.webex.com/client/T25L/webex/ieatgpc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe

O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--

End of file - 13752 bytes

MAB Log:

Malwarebytes' Anti-Malware 1.39

Database version: 2424

Windows 5.1.2600 Service Pack 2

7/14/2009 8:48:50 AM

mbam-log-2009-07-14 (08-48-45).txt

Scan type: Full Scan (C:\|)

Objects scanned: 254169

Time elapsed: 52 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\temp\wpv481246909117.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\TCS\Application Data\wiaserva.log (Malware.Trace) -> No action taken.

Link to post
Share on other sites

Hi and sorry for the delay but its been real busy around here!

Just need to check something out(Fatal exception errors) so please grab the following log.

Download Rootrepeal>>>

http://rootrepeal.googlepages.com/

Extract the file and run rootrepeal.exe

Click on report tab on the bottom right of the software then press scan

Put at check(Tick) in all box's except the 2 SSDT option's then press OK

Place a check(Tick) in drive to be scanned(Usually you will only have to select C).

Please save the logfile generated and copy and paste the contents of that log into your next reply.

Link to post
Share on other sites

No problem, thanks for your attention to this post and for your help. Here is the log file as you requested:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/07/15 16:08

Program Version: Version 1.3.2.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: dump_iaStor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys

Address: 0xF6ABD000 Size: 778240 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF5F98000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP41\A0015932.ini

Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP41\A0015933.INI

Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090710.003\EraserUtilRebootDrv.sys

Status: Locked to the Windows API!

Stealth Objects

-------------------

Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8348d250 Address: 3504

==EOF==

Link to post
Share on other sites

Ok nothing unusual there,can see the Norton rootkit but no malware there.

Lets try another tool to see if that shines any light on what is causing the issue's.

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Here you go. BTW, all the logs I'm posting here are with Windows running in safe mode. Not sure if that makes a difference, but at any step if you need me to be in normal mode let me know.

Thanks.

ComboFix 09-07-14.08 - TCS 07/15/2009 17:01.4.2 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.998.737 [GMT -5:00]

Running from: c:\documents and settings\TCS\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\TCS\Application Data\wiaserva.log

.

((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))

.

2009-07-14 14:21 . 2009-07-14 14:21 -------- d-sh--w- C:\found.000

2009-07-08 13:31 . 2009-07-08 13:31 -------- d-----w- c:\program files\Common Files\GSTools

2009-07-08 13:30 . 2009-07-08 13:30 -------- d-----w- c:\program files\cognos

2009-07-08 02:46 . 2009-07-08 02:46 -------- d-----w- c:\program files\Western Digital

2009-06-28 18:12 . 2009-06-28 18:12 -------- d-----w- c:\program files\Microsoft Silverlight

2009-06-19 00:25 . 2009-06-19 00:26 -------- d-----w- c:\program files\Safari

2009-06-19 00:20 . 2009-06-19 00:20 -------- d-----w- c:\program files\iPod

2009-06-19 00:20 . 2009-06-19 00:21 -------- d-----w- c:\program files\iTunes

2009-06-19 00:20 . 2009-06-19 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-18 23:52 . 2009-06-18 23:52 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-18 22:48 . 2009-06-05 16:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-06-18 22:34 . 2009-06-18 22:34 -------- d-----w- c:\program files\Bonjour

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-15 21:58 . 2008-05-16 03:14 -------- d-----w- c:\documents and settings\TCS\Application Data\uTorrent

2009-07-14 14:25 . 2009-02-25 23:22 -------- d-----w- c:\program files\Symantec AntiVirus

2009-07-14 14:08 . 2007-10-02 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-07-14 04:41 . 2008-10-20 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-14 04:40 . 2009-04-13 17:55 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-14 04:36 . 2007-11-25 17:55 1324 ----a-w- c:\documents and settings\TCS\Local Settings\Application Data\d3d9caps.dat

2009-07-14 04:28 . 2009-04-13 23:56 -------- d-----w- c:\program files\VonageTalk

2009-07-14 04:05 . 2008-05-16 03:14 -------- d-----w- c:\program files\uTorrent

2009-07-14 04:03 . 2007-11-25 06:55 -------- d-----w- c:\documents and settings\TCS\Application Data\Skype

2009-07-14 03:03 . 2007-11-25 06:56 -------- d-----w- c:\documents and settings\TCS\Application Data\skypePM

2009-07-13 18:36 . 2008-10-20 00:25 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 18:36 . 2008-10-20 00:25 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-13 13:34 . 2007-11-04 05:35 -------- d-----w- c:\program files\UltimateBet

2009-06-19 00:20 . 2008-05-27 11:24 -------- d-----w- c:\program files\Common Files\Apple

2009-06-18 23:31 . 2008-10-28 14:21 -------- d-----w- c:\program files\QuickTime

2009-06-18 22:50 . 2007-11-12 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-06-05 16:42 . 2008-05-27 11:25 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-05 16:42 . 2007-10-03 06:42 -------- d-----w- c:\program files\Google

2009-06-01 03:42 . 2009-06-01 03:42 390664 ----a-w- c:\documents and settings\TCS\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

2009-05-28 14:52 . 2009-05-28 14:52 221184 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\ataudio.dll

2009-05-28 14:52 . 2009-05-28 14:52 307200 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\ateditor.dll

2009-05-28 14:52 . 2009-05-28 14:52 46408 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\atauthor.exe

2009-05-28 14:52 . 2009-05-28 14:52 212992 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\atrpui.dll

2009-05-28 14:52 . 2009-05-28 14:52 401408 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\atrecply.dll

2009-05-28 14:51 . 2007-11-02 13:11 -------- d-----w- c:\documents and settings\TCS\Application Data\webex

2009-05-28 14:51 . 2008-10-15 14:48 27976 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\ptgpcdec.dll

2009-05-11 22:51 . 2009-05-11 22:48 68720 ----a-w- c:\documents and settings\TCS_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-08 14:59 . 2009-03-20 17:56 3296 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2009-05-08 14:59 . 2009-03-20 17:56 3296 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2009-05-08 14:59 . 2009-03-20 17:56 168 --sh--r- c:\documents and settings\All Users\Application Data\053A780C57.sys

2009-05-08 14:59 . 2009-03-20 17:56 168 --sh--r- c:\documents and settings\All Users\Application Data\053A780C57.sys

2009-05-08 12:31 . 2007-10-03 06:50 68720 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-07 15:44 . 2006-04-30 06:55 344064 ----a-w- c:\windows\system32\localspl.dll

2009-05-01 03:01 . 2009-05-01 03:01 45056 ----a-r- c:\documents and settings\TCS\Application Data\Microsoft\Installer\{578145B3-3831-4D85-BB53-4A9D90F821DE}\NewShortcut89_1D243F0013894C63A7E9B17E967D1901.exe

2009-05-01 03:01 . 2009-05-01 03:01 45056 ----a-r- c:\documents and settings\TCS\Application Data\Microsoft\Installer\{578145B3-3831-4D85-BB53-4A9D90F821DE}\NewShortcut84_1D243F0013894C63A7E9B17E967D1901.exe

2009-05-01 03:01 . 2009-05-01 03:01 45056 ----a-r- c:\documents and settings\TCS\Application Data\Microsoft\Installer\{578145B3-3831-4D85-BB53-4A9D90F821DE}\NewShortcut83_1D243F0013894C63A7E9B17E967D1901.exe

2009-05-01 03:01 . 2009-05-01 03:01 45056 ----a-r- c:\documents and settings\TCS\Application Data\Microsoft\Installer\{578145B3-3831-4D85-BB53-4A9D90F821DE}\NewShortcut80_1D243F0013894C63A7E9B17E967D1901.exe

2009-04-29 04:56 . 2006-04-30 06:56 827392 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:55 . 2006-04-30 06:55 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-04-27 15:59 . 2008-10-15 14:48 1336648 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\webexmgr.dll

2009-04-27 15:59 . 2008-10-15 14:48 708608 ----a-w- c:\documents and settings\TCS\Application Data\webex\PlugIns\T26L\824\pfwres.dll

2009-04-17 10:09 . 2006-04-30 06:55 1847936 ----a-w- c:\windows\system32\win32k.sys

2009-07-03 19:31 . 2008-08-27 18:35 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2009-05-05 16:14 . 2008-10-17 13:36 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2009-05-05 16:14 . 2008-10-17 13:36 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-10-17 13:36 . 2008-10-17 13:36 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2008-10-17 13:36 . 2008-10-17 13:36 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

"cdloader"="c:\documents and settings\TCS\Application Data\mjusbsp\cdloader2.exe" [2007-12-21 50520]

"Google Update"="c:\documents and settings\TCS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"PTOneClick"="c:\program files\WebEx\Productivity Tools\ptoneclk.exe" [2009-01-31 165192]

"VonageTalk"="c:\program files\VonageTalk\vonagetalk.exe" [2007-10-22 4509696]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"AirCardEnabler"="c:\program files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [2003-05-23 163840]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-24 185896]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-07-29 176128]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]

"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

c:\documents and settings\TCS\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-1-19 268288]

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-9-11 576104]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-2 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2007-03-15 05:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]

2007-03-28 02:51 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Temp\\HP_WebRelease\\Setup\\HPZnet01.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Interactive Intelligence\\Interaction Client .NET Edition\\InteractionClient.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Documents and Settings\\TCS\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

"c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\VonageTalk\\vonagetalk.exe"=

"c:\\Documents and Settings\\TCS\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [3/2/2007 7:49 PM 100656]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 7:47 PM 19760]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [5/10/2009 1:39 AM 33792]

R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [10/11/2007 12:33 AM 58240]

S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [10/3/2007 1:25 AM 4442]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]

S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]

S2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 12:10 AM 11152]

S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);c:\windows\system32\drivers\air555.sys [10/16/2007 7:04 AM 125608]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [12/15/2007 9:53 PM 16512]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/10/2009 8:04 PM 101936]

S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\drivers\ewusbmdm.sys [1/14/2008 10:34 PM 88960]

S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\drivers\ewusbser.sys [1/14/2008 10:34 PM 65152]

S3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [10/3/2007 1:12 AM 81280]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [10/19/2008 7:25 PM 38160]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 9:48 PM 116664]

S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 2:42 PM 35264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2071645476-1119719685-3435165419-1005Core.job

- c:\documents and settings\TCS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:18]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2071645476-1119719685-3435165419-1005UA.job

- c:\documents and settings\TCS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:18]

2007-10-02 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-10-03 16:14]

2009-07-13 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-10-02 20:46]

2009-07-14 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = about:blank

uInternet Settings,ProxyServer = 172.17.109.54:8080

uInternet Settings,ProxyOverride = *ultimatix*;*indelm*;<local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm

IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\TCS\Start Menu\Programs\UltimateBet\UltimateBet.lnk

Trusted Zone: onerateld.com

Trusted Zone: turbotax.com

Trusted Zone: ultimatix.net\www

DPF: {07AB92C1-242F-40C1-B3C5-323DCC7B68D2} - hxxps://crmappweb.ultimatix.net/sales/18382/applets/SiebelAx_HI_Client.cab

DPF: {28288D59-CEA4-466B-9A20-04AE7C686611} - hxxps://planning.ultimatix.net/cognos/contributor/controls/clientfull82.cab

DPF: {CF27E6B4-C0E0-455E-A6F1-8C88004E8976} - hxxps://planning.ultimatix.net/cognos/contributor/controls/epcwebinstaller82.cab

FF - ProfilePath - c:\documents and settings\TCS\Application Data\Mozilla\Firefox\Profiles\ciwigeu5.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\documents and settings\TCS\Application Data\Mozilla\Firefox\Profiles\ciwigeu5.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\documents and settings\TCS\Application Data\Mozilla\Firefox\Profiles\ciwigeu5.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\TCS\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - HiddenExtension: XUL Cache: {16B12FBB-6CCD-4DAB-B94A-37046778C294} - c:\documents and settings\TCS\Local Settings\Application Data\{16B12FBB-6CCD-4DAB-B94A-37046778C294}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-15 17:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)

c:\windows\system32\vrlogon.dll

c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\windows\system32\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infra.dll

c:\program files\ThinkVantage Fingerprint Software\homepass.dll

c:\program files\ThinkVantage Fingerprint Software\bio.dll

c:\program files\ThinkVantage Fingerprint Software\ps2css.dll

c:\program files\ThinkVantage Fingerprint Software\remote.dll

c:\program files\Lenovo\HOTKEY\tphklock.dll

c:\program files\ThinkVantage Fingerprint Software\crypto.dll

- - - - - - - > 'lsass.exe'(1084)

c:\windows\system32\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infra.dll

c:\program files\ThinkPad\ConnectUtilities\ACGina.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACON.dll

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll

c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll

c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll

c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll

c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll

.

Completion time: 2009-07-15 17:14

ComboFix-quarantined-files.txt 2009-07-15 22:14

ComboFix2.txt 2009-04-14 18:24

Pre-Run: 3,117,608,960 bytes free

Post-Run: 3,215,994,880 bytes free

280 --- E O F --- 2009-06-10 10:03

Link to post
Share on other sites

Well, I downloaded and ran MSRT but it seems to have frozen excruciatingly close to completion. I can see that the blue progress bar has completely filled out, it shows the running time as 03:48:28 and it has scanned 1762380 files. Files infected - 0. Unfortunately, it hasn't moved in the last 30 minutes or so and I'm afraid it will not produce a log file that I can share with you at this time. I'm posting this from my other machine as I re-start the infected laptop.

I'm surprised to hear you say that nothing is showing up in the logs. The reason I started this post was actually that MAB reported 5 infections but would crash when I would try to "remove selected infections". Not sure whether the original MAB log I posted shows infections of any kind?

Also, I'm not sure if running these on safe mode vs normal mode make any difference. I tried booting into normal mode to run MSRT but the system is just very unstable and just hangs 3-4 minutes after booting up.

I will try running MSRT again and post back with the log if it doesn't end up freezing again. In the meantime, if there is anything else you would like me to run / try, please let me know.

Link to post
Share on other sites

Hi ya it is somewhat puzzling,

MBAM only picked up on some orphaned files/keys as i supsect the active infection had been already attacked and removed.

Rootrepeal and combofix is showing up no Rootkit activity and combofix is not indicating that any of the system files have been patched.

I will ask for a second opinion from a couple of folks but TBH i cant see any active malware in your logs for looking.

There is the possibility that either the infection has previously corrupted something in the OS or possibly in the installed softwares.

Hope to get back to you shortly on it but for now do you have the OS install disk available as it might be 1 avenue to try to resolve the issue's

Link to post
Share on other sites

Reporting back after about 24 hours of use since I last posted. Here's what's going on now:

- I ran a MAB full scan in safe mode soon after your last post and it found 3 infections which it was able to remove

- After re-starting in normal mode I ran another full scan and it found nothing this time - 0 infections

- The machine continues to be extremely unstable though - crashing and freezing frequently, mostly when I'm using any of the web browsers - IE, Chrome or Firefox

- It runs more stable on safe mode, but even in safe mode there are way too many hangs

- When booting into safe mode it now gives an error message which I think has to do with ComboFix, saying it can not find "HIDEC.exe"

- When booting into normal mode it gives an error saying it can not find AcSvc.exe

Unfortunately, I do not have an install kit handy so can't re-install the OS. I'm hoping you have some inputs from some of the other folks you mentioned you were going to speak with.

Below are the two MAB logs from the scans mentioned in my first two bullets. Let me know if you see anything revealing. My fear is this has now moved on from being a malware issue to being a "somethings-broken-in-the-OS-but-we-can't-find-out-what", which am sure is out of the scope of what you can help me with. Look forwrd to your response.

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 2

7/16/2009 5:30:48 PM

mbam-log-2009-07-16 (17-30-45).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 249007

Time elapsed: 42 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 2

7/16/2009 7:18:22 PM

mbam-log-2009-07-16 (19-18-22).txt

Scan type: Full Scan (C:\|)

Objects scanned: 246266

Time elapsed: 1 hour(s), 27 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi ya,

Unfortunetly now afew more folks baffled...is strange the AcSvc.exe error as earliar HJT log show's it as being present on the computer and even more baffling is the missing file on safemode booting,the file listed is not recognized as core OS file so immediately it becomes suspicious but is no longer loading.

I'm going to logically try to troubleshoot this but at the end of the day if i cant find active malware to attack then i'm very limited as to how i can assist in improving your situation.

2 tasks then to do(both in regular mode).

Not that i see any search hijacker's onboard but would rather flush certain change's made by malware if they are present on your pc.

Please download GooredFix and save it to your Desktop.

http://jpshortstuff.247fixes.com/GooredFix.exe

Select "2. Fix Goored" by typing 2 and pressing Enter.

Make sure all instances of Firefox are closed at this point.

Type y at the prompt and press Enter again.

A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Second log i would like to see :(

Download and install Autoruns.

http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.

At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.

Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt

Can you please then copy and paste the contents of that text file into your next reply for analysis.

Thanks in advance :)

Link to post
Share on other sites

Hi! Both logs are appended below. On a related note though, as soon as I started up and before I ran either of the two tools you shared, Spybot popped up the following alert:

Category: System Startup global entry

Change: Value Deleted

Entry: UserFaultCheck

Old Data: %systemroot%\system32\dumprep 0 -u

I don't know whether to accept or deny this change - so if you know what this is, let me know.

Here are the logs:

GooredFix by jpshortstuff (12.07.09)

Log created at 11:43 on 17/07/2009 (TCS)

Firefox version 3.0.9 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{16B12FBB-6CCD-4DAB-B94A-37046778C294} -> Success!

Deleting C:\Documents and Settings\TCS\Local Settings\Application Data\{16B12FBB-6CCD-4DAB-B94A-37046778C294} -> Success!

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:43 19/10/2007]

{B13721C7-F507-4982-B2E5-502A71474FED} [12:44 28/10/2008]

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [15:34 07/03/2008]

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [15:08 11/08/2008]

{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [22:59 14/12/2008]

{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [18:27 27/03/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:59 14/12/2008]

-=E.O.F=-

Autoruns

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ Adobe Reader Speed Launcher Adobe Acrobat SpeedLauncher (Verified) Adobe Systems, Incorporated c:\program files\adobe\reader 8.0\reader\reader_sl.exe

+ AdobeCS4ServiceManager Adobe CS4 Service Manager (Verified) Adobe Systems Incorporated c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe

+ AirCardEnabler Network Adapter Manager (Not verified) Sierra Wireless Inc. c:\program files\sierra wireless inc\network adapter manager\network adapter manager.exe

+ ccApp Symantec User Session (Verified) Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe

+ HP Software Update Hewlett-Packard Product Assistant (Not verified) Hewlett-Packard Co. c:\program files\hp\hp software update\hpwuschd2.exe

+ iTunesHelper iTunesHelper Module (Verified) Apple Inc. c:\program files\itunes\ituneshelper.exe

+ MaxMenuMgr FreeAgent

Link to post
Share on other sites

Hi ya,

If possible could you locate and the following file and upload to VirusTotal for malware checking.

http://www.virustotal.com

Please post back a link to the report generated as i will need to verify some support data on the file from it.

pmem Physical Memory Driver (Not verified) Microsoft Corporation c:\windows\system32\drivers\pmemnt.sys

Link to post
Share on other sites

Hi ya,

That file was legitimate...I hate it when M$ dont verify their own files as this is usually the domain of malware trying to pretend to be legitimate system file but alas not the case here.

After some heavy duty researching I cant find any malware underneath the surface with my tools.

The HIDEC.exe process which is used to hide windows/command box's was probaly installed by one of your resident softwares.Something has corrupted this process and now i believe that is the root of the command box's opening up with browser use etc

As to what is causing the issue's again, it might be damaged software installs, damaged OS or software conflicts.Unfortunetly i cant diagnose that across board and if the patient was in front of me i would attempt to uninstall software's and reinstall them to see if that made any difference + attempt to get OS repair install.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.