Jump to content

My PC is down (Rootkit.TDSS) - Help please.

Val2Read

By Val2Read
in Resolved Malware Removal Logs

 Share

Recommended Posts

Val2Read

Val2Read

Posted
Posted

Hi everyone, I could really use some help. Embarrased to admit that after years of taking all sorts of precautions and having anti-virus and anti-spyware utilities installed on my laptop, it seems I've run into a bug (Rootkit.TDSS) that has proven resistant to efforts to clean it up.

Main symptoms are:

1. Clicking on google search results gets redirected to unrelated websites or causes Internet Explorer to freeze,

2. Very slow shutdown and bootup - and startup items take forever to load.

3. Slow opening of documents and applications.

4. Multiple instances of iexplore.exe in Task Manager, sometimes even when Internet Explorer is not open.

5. After every reboot, it seems free space in my harddrive decreases.

Ran Malwarebytes' Anti-Malware, Super AntiSpyware, and Bit Defender multiple times, and tried to find the infected files in safe mode (could not find them), and still cannot get rid of the infection.

I would appreciate any help. Hijachthis, MBAM and Rootrepeal report the following:

********

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:49:04 PM, on 9/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\astsrv.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe

C:\WINDOWS\System32\GEARSec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe

C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

C:\WINDOWS\System32\vssvc.exe

C:\Program Files\Workshare\Modules\Workshare.Protect.Service.SvcHost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\WINDOWS\system32\vsnapvss.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe

C:\WINDOWS\system32\TpShocks.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll

O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [JAVA_IBM] Java (IBM)

O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx

O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab

O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} (DAX Control) - https://mickey.manatt.com/Exchweb/controls/DAX.cab

O20 - AppInit_DLLs: interceptor.dll , C:\WINDOWS\system32\guard32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe

O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: ShadowProtect Service (ShadowProtectSvc) - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe

O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

O23 - Service: StorageCraft Shadow Copy Provider (VSNAPVSS) - StorageCraft Technology Corporation - C:\WINDOWS\system32\vsnapvss.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: Workshare Protect Service - Workshare - C:\Program Files\Workshare\Modules\Workshare.Protect.Service.SvcHost.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--

End of file - 13499 bytes

*****

Malwarebytes' Anti-Malware 1.41

Database version: 2825

Windows 5.1.2600 Service Pack 3

9/20/2009 8:01:11 PM

mbam-log-2009-09-20 (20-01-07).txt

Scan type: Full Scan (C:\|)

Objects scanned: 243897

Time elapsed: 2 hour(s), 0 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\Device\Ide\iaStor0\mpdibcrn\mpdibcrn\tdlwsp.dll (Rootkit.TDSS) -> No action taken.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\Device\Ide\iaStor0\mpdibcrn\mpdibcrn\tdlwsp.dll (Rootkit.TDSS) -> No action taken.

********

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/20 04:07

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_iaStor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys

Address: 0xA1433000 Size: 876544 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0x9DF34000 Size: 49152 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa15ad0b0

Stealth Objects

-------------------

Object: Hidden Module [Name: tdlcmd.dll]

Process: svchost.exe (PID: 1268) Address: 0x00770000 Size: 24576

==EOF==

Link to post
Share on other sites
  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

LonnyRJ

LonnyRJ

Posted
Posted

Welcome to the forum Val2Read

You have done a file search for tdlwsp.dll while in safe mode with no success ?

Download and run gmer (use the download exe button) from here >

http://www.gmer.net/#files

Double click GMER. If asked to allow gmer.sys driver to load, please consent .

If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..

Click the >> arrow tab > click autostart tab , leave the show all box uncheck click scan , when finished use copy button and paste that in your next reply please.

Link to post
Share on other sites
Val2Read

Val2Read

Posted
  • Author
Posted

Hi LonnyRJ - I ran GMER in normal mode and here's the result.

GMER 1.0.15.15087 - http://www.gmer.net

Autostart scan 2009-09-21 12:51:28

Windows 5.1.2600 Service Pack 3

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>

!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

AwayNotify@DLLName = C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll

igfxcui@DLLName = igfxdev.dll

tpfnf2@DLLName = notifyf2.dll

tphotkey@DLLName = tphklock.dll

WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = interceptor.dll , C:\WINDOWS\system32\guard32.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>

Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"

astcc@ = "C:\WINDOWS\system32\astsrv.exe"

btwdins@ = C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

cmdAgent@ = "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe"

Diskeeper@ = "C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"

DisplayLinkService@ = "C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe"

FlipShare Service@ = "C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe"

GEARSecurity@ = %SystemRoot%\System32\GEARSec.exe

IBMPMSVC@ = %SystemRoot%\system32\ibmpmsvc.exe

IPSSVC@ = %SystemRoot%\system32\IPSSVC.EXE

LIVESRV@ = "C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service

MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"

ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys

ShadowProtectSvc@ = "C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe"

TPHDEXLGSVC@ = System32\TPHDEXLG.EXE

TpKmpSVC@ = C:\WINDOWS\system32\TpKmpSVC.exe

TSSCoreService@ = "C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe"

TVT Backup Service@ = "C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe"

UCLauncherService@ = C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

V2i Protector@ = C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

VSNAPVSS@ = C:\WINDOWS\system32\vsnapvss.exe

VSSERV@ = "C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe" /service

WMPNetworkSvc@ = "C:\Program Files\Windows Media Player\WMPNetwk.exe"

Workshare Protect Service@ = "C:\Program Files\Workshare\Modules\Workshare.Protect.Service.SvcHost.exe"

XCOMM@ = "C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>

@TpShocksTpShocks.exe = TpShocks.exe

@COMODO Internet Security"C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h = "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

@Malwarebytes Anti-Malware (reboot)"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript = "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

@BitDefender Antiphishing Helper"C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" = "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

@BDAgent"C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" = "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>

@SUPERAntiSpywareC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

@swg"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>

@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/

@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll

@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll

@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =

@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll

@(null) =

@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll

@{5CA3D70E-1895-11CF-8E15-001234567890} /*DriveLetterAccess*/C:\WINDOWS\System32\DLA\DLASHX_W.DLL = C:\WINDOWS\System32\DLA\DLASHX_W.DLL

@{F6A51CCC-6AA6-46ad-B726-97466F0A38BF} /*SafeGuard

Link to post
Share on other sites
LonnyRJ

LonnyRJ

Posted
Posted

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop (not elswhere)


  • You MUST Temporarily disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.
  • Double click on combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the log in your next reply.

Link to post
Share on other sites
LonnyRJ

LonnyRJ

Posted
Posted

Provided that went well and you posted the log.

Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents

of the code box below into a new text file. (dont include the word code)

Save it as file name: cfscript.txt

rootkit::
c:\windows\system32\tdlwsp.dll
c:\windows\system32\tdlcmd.dll
killall::

http://users.pandora.be/bluepatchy/miekiem...es/CFScript.gif

As in the picture above drag and drop cfscript.txt onto combofix.exe

Link to post
Share on other sites
Val2Read

Val2Read

Posted
  • Author
Posted

Thanks LonnyRJ. I couldn't get past this step. ComboFix started with a small rectangular box, and a green bar. But after a few minutes, ComboFix shut down. Did I do something wrong?

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop (not elswhere)


  • You MUST Temporarily disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.
  • Double click on combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the log in your next reply.

Link to post
Share on other sites
LonnyRJ

LonnyRJ

Posted
Posted

Try running combofix while in safe mode, if it restarts the PC go back into safe mode then restart to normal and post its log. (skip the recovery console install for now)

On heavily infected PC's combofix may appear to hang, leave it alone for at least five minutes

Link to post
Share on other sites
Val2Read

Val2Read

Posted
  • Author
Posted
Try running combofix while in safe mode, if it restarts the PC go back into safe mode then restart to normal and post its log. (skip the recovery console install for now)

On heavily infected PC's combofix may appear to hang, leave it alone for at least five minutes

LonnyRJ - ComboFix restarted my PC, and I tried to go to safe mode, but despite pushing the F8 key, it restarted in normal mode. ComboFix went on doing its work and generated the log below.

I'm sorry but I'll be tied up during the next 8 hours, so it'll be a while before I can start up again. Thank you very much for helping me with this!

ComboFix 09-09-20.04 - 09/22/2009 3:00.1.2 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2752 [GMT -7:00]

Running from: c:\documents and settings\AA\Desktop\ComboFix.exe

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll

c:\windows\Installer\1ee7ffd.msi

c:\windows\Installer\1ee80c9.msi

c:\windows\Installer\3e4af.msi

c:\windows\Installer\4ada4.msi

c:\windows\run.log

.

((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-19 1830128]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-29 39408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-20 1799952]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]

"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-05 368640]

"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-1-17 618557]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-01-17 20:38 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]

2006-03-23 09:03 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^AA^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\AA\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register FocalPoint 1.0.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register FocalPoint 1.0.lnk

backup=c:\windows\pss\Register FocalPoint 1.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Mask Pro 3.0.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register Mask Pro 3.0.lnk

backup=c:\windows\pss\Register Mask Pro 3.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\ThinkVantage\\AMSG\\AMSG.EXE"=

"c:\\Program Files\\QuickTime\\QTTask.exe"=

"c:\\Program Files\\BitDefender\\BitDefender 2008\\bdagent.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [9/12/2003 3:19 PM 132899]

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [7/4/2006 2:03 PM 85760]

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [5/18/2008 6:45 PM 127520]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [6/28/2009 9:38 PM 132296]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/28/2009 9:38 PM 25160]

R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [9/12/2003 3:48 PM 46810]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 74480]

R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [5/18/2008 6:45 PM 86560]

R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [7/4/2006 2:03 PM 4736]

R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [7/4/2006 2:30 PM 4442]

R2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [12/19/2007 12:28 AM 417792]

R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [11/13/2008 1:17 PM 439616]

R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [12/21/2005 5:14 PM 12544]

R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 1:11 PM 46142]

R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [5/18/2008 6:45 PM 1239584]

R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 4:45 PM 3968]

R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [5/18/2008 6:45 PM 69664]

R2 Workshare Protect Service;Workshare Protect Service;"c:\program files\Workshare\Modules\Workshare.Protect.Service.SvcHost.exe" [9/11/2008 6:06 PM 36864]

R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [3/9/2007 12:09 PM 25704]

R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [3/9/2007 12:16 PM 23400]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]

S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [7/29/2008 7:02 PM 26600]

--- Other Services/Drivers In Memory ---

*Deregistered* - WAM

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Workshare Professional 5.21.9652.292]

c:\program files\Workshare\Modules\WmConfigAssistant.exe /userinit

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Workshare Protect Client]

c:\program files\Workshare\Modules\Workshare.Protect.UserInit.exe

.

Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2009-09-01 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-07-04 08:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/us/en/

uInternet Settings,ProxyOverride = <local>

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} - hxxp://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx

DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://mickey.manatt.com/Exchweb/controls/DAX.cab

.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-22 03:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\ALENAG~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\tphklock.dll

c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(1036)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3320)

c:\windows\system32\WININET.dll

tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\iaStor0\xcdipyri\xcdipyri\tdlwsp.dll

c:\windows\system32\PROCHLP.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\COMODO\COMODO Internet Security\cmdagent.exe

c:\windows\system32\IPSSVC.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\ASTSRV.EXE

c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\DisplayLink Core Software\DisplayLinkUI.exe

c:\windows\system32\TPHDEXLG.exe

c:\windows\system32\TpKmpSvc.exe

c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe

c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe

c:\program files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

c:\windows\system32\vssvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\DisplayLink Core Software\DisplayLinkManager.exe

c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

c:\windows\system32\wbem\unsecapp.exe

.

**************************************************************************

.

Completion time: 2009-09-22 3:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-22 10:47

Pre-Run: 2,956,402,688 bytes free

Post-Run: 2,891,587,584 bytes free

209 --- E O F --- 2009-09-09 06:49

Link to post
Share on other sites
Val2Read

Val2Read

Posted
  • Author
Posted

I have a quick question LonnyRJ: In running ComboFix, a dialogue box came up warning that I have BitDefender Antivirus still active (even though the PC is in safe mode). I tried to find a way to shut it down, but in looking at Task Manager, I don't see any BitDefender processes/applications active.

Should I ignore this and allow ComboFix to press on? Please let me know. Thanks.

Link to post
Share on other sites
Val2Read

Val2Read

Posted
  • Author
Posted

Hi LonnyRJ, here is what ComboFix logged after the latest run:

ComboFix 09-09-22.01 - 09/22/2009 16:49.2.2 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2757 [GMT -7:00]

Running from: c:\documents and settings\AA\Desktop\ComboFix.exe

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

ADS - WINDOWS: deleted 0 bytes in 1 streams.

PEV Error: AppFolder

((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))

.

2009-09-20 21:48 . 2009-09-20 21:48 -------- d-----w- c:\program files\Trend Micro

2009-09-20 18:18 . 2009-09-20 18:18 -------- d-----w- c:\documents and settings\AAApplication Data\Bitdefender

2009-09-20 18:17 . 2009-09-20 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender

2009-09-19 23:40 . 2009-09-19 23:40 -------- d--ha-w- c:\windows\PIF

2009-09-13 03:05 . 2009-09-13 03:05 -------- d-----w- c:\program files\ePaperPress

2009-09-09 04:20 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-08-31 04:41 . 2009-08-31 04:51 -------- d-----w- c:\program files\Topaz Labs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-22 22:38 . 2008-07-03 04:03 81984 ----a-w- c:\windows\system32\bdod.bin

2009-09-22 22:29 . 2008-03-08 09:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-20 22:11 . 2008-06-13 23:33 -------- d-----w- c:\documents and settings\AA\Application Data\R-Wipe&Clean

2009-09-20 18:17 . 2008-05-18 07:33 -------- d-----w- c:\program files\Common Files\BitDefender

2009-09-20 09:11 . 2008-10-01 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\R-Wipe&Clean

2009-09-20 01:22 . 2008-12-11 08:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-20 01:22 . 2009-05-01 07:09 -------- d-----w- c:\program files\SpywareBlaster

2009-09-20 00:33 . 2009-06-29 04:38 179792 ----a-w- c:\windows\system32\guard32.dll

2009-09-20 00:33 . 2009-06-29 04:38 87104 ----a-w- c:\windows\system32\drivers\inspect.sys

2009-09-20 00:33 . 2009-06-29 04:38 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2009-09-20 00:33 . 2009-06-29 04:38 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys

2009-09-19 06:08 . 2008-12-11 14:44 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-13 08:50 . 2008-02-08 09:18 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-10 21:54 . 2008-12-11 08:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 21:53 . 2008-12-11 08:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-09 06:45 . 2006-08-09 02:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-06 00:04 . 2008-08-01 20:06 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-30 18:59 . 2008-06-13 04:42 -------- d-----w- c:\program files\PurgeIE

2009-08-23 05:40 . 2006-08-16 06:17 -------- d---a-w- c:\documents and settings\AA\Application Data\Apple Computer

2009-08-22 21:16 . 2009-08-22 21:16 -------- d-----w- c:\documents and settings\AA\Application Data\Auto FX Software

2009-08-07 01:08 . 2009-08-07 01:08 6456320 ----a-w- c:\windows\system32\tlidetail10.dll

2009-08-05 09:01 . 1980-01-01 07:00 204800 ------w- c:\windows\system32\mswebdvd.dll

2009-08-02 07:43 . 2006-08-07 23:17 -------- d---a-w- c:\documents and settings\AA\Application Data\U3

2009-07-17 19:01 . 1980-01-01 07:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 1980-01-01 07:00 286208 ------w- c:\windows\system32\wmpdxm.dll

2009-07-08 04:50 . 2006-07-04 21:28 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

2009-06-29 16:12 . 1980-01-01 07:00 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2009-06-04 05:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 1980-01-01 07:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2009-04-24 03:06 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 1980-01-01 07:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 1980-01-01 07:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 1980-01-01 07:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 1980-01-01 07:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 1980-01-01 07:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-22_10.37.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-08-04 19:02 . 2009-09-22 22:39 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2006-08-04 19:02 . 2009-09-22 10:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2006-08-04 19:02 . 2009-09-22 22:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-08-04 19:02 . 2009-09-22 10:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-05-25 07:10 . 2009-09-22 22:39 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-05-25 07:10 . 2009-09-22 10:25 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-19 1830128]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-20 1799952]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]

"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-05 368640]

"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-1-17 618557]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-01-17 20:38 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]

2006-03-23 09:03 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^AA^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\AA\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register FocalPoint 1.0.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register FocalPoint 1.0.lnk

backup=c:\windows\pss\Register FocalPoint 1.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Mask Pro 3.0.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register Mask Pro 3.0.lnk

backup=c:\windows\pss\Register Mask Pro 3.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\ThinkVantage\\AMSG\\AMSG.EXE"=

"c:\\Program Files\\QuickTime\\QTTask.exe"=

"c:\\Program Files\\BitDefender\\BitDefender 2008\\bdagent.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [9/12/2003 3:19 PM 132899]

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [7/4/2006 2:03 PM 85760]

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [5/18/2008 6:45 PM 127520]

S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [6/28/2009 9:38 PM 132296]

S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/28/2009 9:38 PM 25160]

S1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [9/12/2003 3:48 PM 46810]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 74480]

S1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [5/18/2008 6:45 PM 86560]

S1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [7/4/2006 2:03 PM 4736]

S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [7/4/2006 2:30 PM 4442]

S2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [12/19/2007 12:28 AM 417792]

S2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [11/13/2008 1:17 PM 439616]

S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [12/21/2005 5:14 PM 12544]

S2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 1:11 PM 46142]

S2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [5/18/2008 6:45 PM 1239584]

S2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 4:45 PM 3968]

S2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [5/18/2008 6:45 PM 69664]

S2 Workshare Protect Service;Workshare Protect Service;"c:\program files\Workshare\Modules\Workshare.Protect.Service.SvcHost.exe" [9/11/2008 6:06 PM 36864]

S3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [3/9/2007 12:09 PM 25704]

S3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [3/9/2007 12:16 PM 23400]

S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [7/29/2008 7:02 PM 26600]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Workshare Professional 5.21.9652.292]

c:\program files\Workshare\Modules\WmConfigAssistant.exe /userinit

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Workshare Protect Client]

c:\program files\Workshare\Modules\Workshare.Protect.UserInit.exe

.

Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2009-09-01 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-07-04 08:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/us/en/

uInternet Settings,ProxyOverride = <local>

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} - hxxp://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx

DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://mickey.manatt.com/Exchweb/controls/DAX.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-22 17:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(292)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\tphklock.dll

c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(352)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1460)

c:\windows\system32\WININET.dll

tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\iaStor0\qximbeqq\qximbeqq\tdlwsp.dll

.

Completion time: 2009-09-23 17:19

ComboFix-quarantined-files.txt 2009-09-23 00:19

ComboFix2.txt 2009-09-22 10:47

Pre-Run: 2,857,103,360 bytes free

Post-Run: 2,813,874,176 bytes free

216 --- E O F --- 2009-09-09 06:49

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.