WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93124 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Infection: "system-check.com" [Solved]

Started by Dean N , Dec 27 2011 10:34 PM

This topic is locked

133 replies to this topic

#1 Dean N

Authentic Member

Authentic Member
152 posts

Posted 27 December 2011 - 10:34 PM

Hello,

Looks like my computer got hit with something tonight. It hijacked my tray, quick start menu, start menu, desktop, IE, and task manager. Malwarebytes failed to fix it, and it prevented Spybot from installing.
I'm getting prompted to buy "system-check" at "system-check.com" and was redirected from Google to "Infomash.com" and "StarFeedsmixer.org", if that helps.
Thanks in advance for any help. You guys ROCK! Please advise.

I did manage to get a HijackThis logfile:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:36:34 PM, on 12/27/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\All Users\Application Data\gCewtKdyITBp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [4shared Update] "C:\Program Files\4shared Desktop\checkUpdate.exe"
O4 - HKLM\..\Run: [gCewtKdyITBp.exe] C:\Documents and Settings\All Users\Application Data\gCewtKdyITBp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SODCPreLoad] C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe C:\DOCUME~1\DEANNI~1\IBM\Lotus\Symphony\.sodc\
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: &Download All using 4shared Desktop - C:\Program Files\4shared Desktop\down_all.htm
O8 - Extra context menu item: &Download using 4shared Desktop - C:\Program Files\4shared Desktop\down_link.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: NitroPDFReaderDriverCreatorReadSpool2 (NitroReaderDriverReadSpool2) - Nitro PDF Software - C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
--
End of file - 10572 bytes

Edited by Dean N, 27 December 2011 - 10:36 PM.

Advertisements

Register to Remove

#2 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 29 December 2011 - 03:22 PM

Lets see if you can get these to run and post the logs please, just copy and paste them in, do not attach them.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image

Download DDS from one of the links below to your desktop

Link 1
Link 2

Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#3 Dean N

Authentic Member

Authentic Member
152 posts

Posted 29 December 2011 - 08:10 PM

aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software Run date: 2011-12-29 19:00:31 ----------------------------- 19:00:31.628 OS Version: Windows 5.1.2600 Service Pack 3 19:00:31.628 Number of processors: 2 586 0xF06 19:00:31.628 ComputerName: D2 UserName: 19:00:34.737 Initialze error 0 - driver not loaded 19:01:15.253 AVAST engine defs: 11122901 19:02:58.893 Service scanning 19:02:59.987 Modules scanning 19:02:59.987 Disk 0 trace - called modules: 19:02:59.987 19:03:00.831 AVAST engine scan C:\WINDOWS 19:03:02.831 AVAST engine scan C:\WINDOWS\system32 19:04:44.456 AVAST engine scan C:\WINDOWS\system32\drivers 19:04:52.393 AVAST engine scan C:\Documents and Settings\Dean Nicholson 19:07:21.862 AVAST engine scan C:\Documents and Settings\All Users 19:07:22.159 File: C:\Documents and Settings\All Users\Application Data\gCewtKdyITBp.exe **INFECTED** Win32:FakeAlert-BTP [Trj] 19:07:22.237 File: C:\Documents and Settings\All Users\Application Data\GZzviPbdBiShIt.exe **INFECTED** Win32:FakeAlert-BTP [Trj] 19:07:23.925 Scan finished successfully 19:31:16.675 The log file has been saved successfully to "C:\Documents and Settings\Dean Nicholson\My Documents\aswMBR.txt" . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by Dean Nicholson at 19:39:23 on 2011-12-29 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2127 [GMT -5:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Intel\WiFi\bin\S24EvMon.exe svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Lenovo\Client Security Solution\cssauth.exe C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\WINDOWS\system32\igfxext.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Lenovo\Zoom\TpScrex.exe C:\Documents and Settings\All Users\Application Data\gCewtKdyITBp.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\All Users\Application Data\GZzviPbdBiShIt.exe C:\Documents and Settings\Dean Nicholson\Local Settings\Temporary Internet Files\Content.IE5\NR22K66D\aswMBR[2].exe C:\WINDOWS\system32\NOTEPAD.EXE . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\dean nicholson\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [SODCPreLoad] c:\program files\ibm\lotus\symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe c:\docume~1\deanni~1\ibm\lotus\symphony\.sodc\ mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [gCewtKdyITBp.exe] c:\documents and settings\all users\application data\gCewtKdyITBp.exe StartupFolder: c:\docume~1\deanni~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe uPolicies-explorer: NoDesktop = 1 (0x1) IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{4609C208-70A5-4AAA-89A5-080CF9A53B4F} : DhcpNameServer = 192.168.1.1 Notify: ACNotify - ACNotify.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: igfxcui - igfxdev.dll LSA: Notification Packages = scecli ACGina . ============= SERVICES / DRIVERS =============== . R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-8-31 24304] R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-9-1 13480] R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-8-31 132456] R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2011-10-10 196912] R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-8-31 53248] R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-9-1 63928] R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-30 136176] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-9-1 45496] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-30 136176] S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2005-11-18 58624] S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2005-8-5 73600] . =============== Created Last 30 ================ . 2011-12-28 03:45:41 363520 ---ha-w- c:\documents and settings\all users\application data\GZzviPbdBiShIt.exe 2011-12-28 03:22:24 452608 ---ha-w- c:\documents and settings\all users\application data\gCewtKdyITBp.exe 2011-12-18 21:29:48 -------- d--h--w- c:\program files\Yahoo! . ==================== Find3M ==================== . 2011-12-28 00:19:02 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-12-10 20:24:06 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys 2011-11-23 13:25:32 1859584 ---ha-w- c:\windows\system32\win32k.sys 2011-11-04 19:20:51 916992 ---ha-w- c:\windows\system32\wininet.dll 2011-11-04 19:20:51 43520 ---h--w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20:51 1469440 ---h--w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23:59 385024 ---h--w- c:\windows\system32\html.iec 2011-11-01 16:07:10 1288704 ---ha-w- c:\windows\system32\ole32.dll 2011-10-28 05:31:48 33280 ---ha-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:37:08 2148864 ---ha-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52:02 2027008 ---ha-w- c:\windows\system32\ntkrnlpa.exe 2011-10-18 11:13:22 186880 ---ha-w- c:\windows\system32\encdec.dll 2011-10-10 14:22:41 692736 ---ha-w- c:\windows\system32\inetcomm.dll 2011-10-10 12:31:12 17712 ---ha-w- c:\windows\system32\nitrolocalui2.dll 2011-10-10 12:31:10 26416 ---ha-w- c:\windows\system32\nitrolocalmon2.dll . ============= FINISH: 19:45:07.00 ===============

Attached Files

attach.zip 2.41KB 335 downloads

#4 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 30 December 2011 - 04:03 AM

Good Morning,

I was looking for a rootkit type of infection that sometimes is responsible for installing other garbage but dont see one, but your system is infected, lets do this.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#5 Dean N

Authentic Member

Authentic Member
152 posts

Posted 30 December 2011 - 11:35 AM

ComboFix 11-12-29.05 - Dean Nicholson 12/30/2011 11:23:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2191 [GMT -5:00]
Running from: c:\documents and settings\Dean Nicholson\My Documents\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~GZzviPbdBiShIt
c:\documents and settings\All Users\Application Data\~GZzviPbdBiShItr
c:\documents and settings\All Users\Application Data\gCewtKdyITBp.exe
c:\documents and settings\All Users\Application Data\GZzviPbdBiShIt
c:\documents and settings\All Users\Application Data\GZzviPbdBiShIt.exe
c:\documents and settings\All Users\Application Data\YXXTxtXBks.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-12-30 12:21 . 2011-12-30 12:21 -------- d-----w- c:\windows\system32\LogFiles
2011-12-30 01:16 . 2011-12-30 01:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-21 00:36 . 2011-12-29 01:52 -------- d--h--w- c:\documents and settings\Dean Nicholson\Application Data\Skype
2011-12-21 00:36 . 2011-12-29 01:52 -------- d--h--w- c:\documents and settings\All Users\Application Data\Skype
2011-12-18 21:32 . 2011-12-18 21:32 -------- d--h--w- c:\documents and settings\Dean Nicholson\Application Data\Yahoo!
2011-12-18 21:29 . 2011-12-23 05:00 -------- d--h--w- c:\program files\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 00:19 . 2011-07-01 01:56 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-07-01 02:22 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2010-08-30 18:15 1859584 ---ha-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2010-08-30 18:15 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-08-30 18:15 43520 ---h--w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-08-30 18:15 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-08-30 18:15 385024 ---h--w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2010-08-30 18:15 1288704 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-08-30 18:15 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2010-08-30 18:15 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-08-30 18:26 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:31 . 2011-07-02 02:13 17712 ---ha-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 12:31 . 2011-07-02 02:13 26416 ---ha-w- c:\windows\system32\nitrolocalmon2.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2011-07-03 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-05-12 517480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-22 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-04-22 181608]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\B]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/31/2010 12:26 PM 24304]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/1/2010 11:16 AM 13480]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/31/2010 12:26 PM 132456]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [10/10/2011 7:32 AM 196912]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/31/2010 12:26 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/1/2010 11:16 AM 63928]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 2:54 PM 37312]
S2 B;B;c:\windows\system32\svchost.exe -k netsvcs [8/30/2010 1:15 PM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/1/2010 11:16 AM 45496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 3:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 2:42 PM 73600]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
B
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004Core.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004UA.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2011-12-30 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-08-31 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-gCewtKdyITBp.exe - c:\documents and settings\All Users\Application Data\gCewtKdyITBp.exe
HKLM-Run-YXXTxtXBks.exe - c:\documents and settings\All Users\Application Data\YXXTxtXBks.exe
Notify-ACNotify - ACNotify.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-30 11:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\B]
"servicedll"="\\.\globalroot\Device\HarddiskVolume1\DOCUME~1\DEANNI~1\LOCALS~1\Temp\B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1112)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\Macromed\Flash\Flash11e.ocx
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\igfxext.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-30 12:15:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-30 17:14
.
Pre-Run: 78,964,023,296 bytes free
Post-Run: 79,828,881,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4A503827F668CF1583873ED6F4188618

#6 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 30 December 2011 - 12:18 PM

Hi, Combofix removed what I hoped it would but am looking at one suspicious entry. Malwarebytes has been updated, open the program and check for updates, download the new version, then run the Quick scan and post the log please

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#7 Dean N

Authentic Member

Authentic Member
152 posts

Posted 30 December 2011 - 12:33 PM

Malwarebytes Anti-Malware 1.60.0.1800 www.malwarebytes.org Database version: v2011.12.30.03 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Dean Nicholson :: D2 [administrator] 12/30/2011 1:27:41 PM mbam-log-2011-12-30 (13-27-41).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 178043 Time elapsed: 1 minute(s), 40 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

#8 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 30 December 2011 - 01:03 PM

Download MBRCheck.exe to your desktop.

Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#9 Dean N

Authentic Member

Authentic Member
152 posts

Posted 30 December 2011 - 03:29 PM

MBRCheck, version 1.2.3 © 2010, AD Command-line: Windows Version: Windows XP Professional Windows Information: Service Pack 3 (build 2600) Logical Drives Mask: 0x0000000c Kernel Drivers (total 142): 0x804D7000 \WINDOWS\system32\ntkrnlpa.exe 0x806E5000 \WINDOWS\system32\hal.dll 0xBA5A8000 \WINDOWS\system32\KDCOM.DLL 0xBA4B8000 \WINDOWS\system32\BOOTVID.dll 0xB9F79000 ACPI.sys 0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0xB9F68000 pci.sys 0xBA0A8000 isapnp.sys 0xBA4BC000 compbatt.sys 0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS 0xBA670000 pciide.sys 0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0xB9F4A000 pcmcia.sys 0xBA0B8000 MountMgr.sys 0xB9F2B000 ftdisk.sys 0xBA330000 PartMgr.sys 0xBA4C4000 ACPIEC.sys 0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 0xBA0C8000 VolSnap.sys 0xB9F13000 atapi.sys 0xB9E4B000 iaStor.sys 0xBA0D8000 disk.sys 0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0xB9E2B000 fltMgr.sys 0xB9E19000 sr.sys 0xBA338000 PxHelp20.sys 0xB9E02000 KSecDD.sys 0xBA340000 DozeHDD.sys 0xB9D75000 Ntfs.sys 0xB9D48000 NDIS.sys 0xBA0F8000 Combo-Fix.sys 0xB9D2E000 Mup.sys 0xBA1C8000 \SystemRoot\system32\DRIVERS\intelppm.sys 0xB98C7000 \SystemRoot\system32\DRIVERS\ati2mtag.sys 0xB98B3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0xB988B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys 0xB984E000 \SystemRoot\system32\DRIVERS\e1e5132.sys 0xB9705000 \SystemRoot\system32\DRIVERS\athw.sys 0xBA430000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0xB96E1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0xBA460000 \SystemRoot\system32\DRIVERS\usbehci.sys 0xBA1D8000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0xBA480000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0xB95A4000 \SystemRoot\system32\DRIVERS\SynTP.sys 0xBA5B0000 \SystemRoot\system32\DRIVERS\USBD.SYS 0xBA1E8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS 0xB9533000 \SystemRoot\System32\Drivers\wdf01000.sys 0xBA3F0000 \SystemRoot\system32\DRIVERS\mouclass.sys 0xBA400000 \SystemRoot\system32\DRIVERS\nscirda.sys 0xBA58C000 \SystemRoot\system32\DRIVERS\irenum.sys 0xBA408000 \SystemRoot\system32\DRIVERS\atmeltpm.sys 0xBA59C000 \SystemRoot\system32\DRIVERS\CmBatt.sys 0xBA418000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys 0xBA1F8000 \SystemRoot\system32\DRIVERS\imapi.sys 0xBA208000 \SystemRoot\system32\DRIVERS\cdrom.sys 0xBA218000 \SystemRoot\system32\DRIVERS\redbook.sys 0xB94E8000 \SystemRoot\system32\DRIVERS\ks.sys 0xBA488000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys 0xBA7BE000 \SystemRoot\system32\DRIVERS\audstub.sys 0xBA4A0000 \SystemRoot\system32\DRIVERS\rasirda.sys 0xBA4B0000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xBA228000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0xB9CF6000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0xB94D1000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0xBA238000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0xBA248000 \SystemRoot\system32\DRIVERS\raspptp.sys 0xB94C0000 \SystemRoot\system32\DRIVERS\psched.sys 0xBA258000 \SystemRoot\system32\DRIVERS\msgpc.sys 0xBA3B0000 \SystemRoot\system32\DRIVERS\ptilink.sys 0xBA3C0000 \SystemRoot\system32\DRIVERS\raspti.sys 0xB9490000 \SystemRoot\system32\DRIVERS\rdpdr.sys 0xBA268000 \SystemRoot\system32\DRIVERS\termdd.sys 0xBA428000 \SystemRoot\system32\DRIVERS\psadd.sys 0xBA448000 \SystemRoot\system32\DRIVERS\Tvti2c.sys 0xBA5C4000 \SystemRoot\system32\DRIVERS\swenum.sys 0xB9432000 \SystemRoot\system32\DRIVERS\update.sys 0xB9C95000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0xBA298000 \SystemRoot\system32\DRIVERS\wsimd.sys 0xBA2B8000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xAD318000 \SystemRoot\system32\drivers\ADIHdAud.sys 0xAD2F4000 \SystemRoot\system32\drivers\portcls.sys 0xBA2E8000 \SystemRoot\system32\drivers\drmk.sys 0xAD2DD000 \SystemRoot\system32\drivers\AEAudio.sys 0xAD2A9000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys 0xAD1B8000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys 0xAD105000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys 0xBA478000 \SystemRoot\System32\Drivers\Modem.SYS 0xBA308000 \SystemRoot\system32\DRIVERS\usbhub.sys 0xBA5D6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xBA6AB000 \SystemRoot\System32\Drivers\Null.SYS 0xBA5DA000 \SystemRoot\System32\Drivers\Beep.SYS 0xBA390000 \SystemRoot\System32\drivers\vga.sys 0xBA5DE000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xBA5E2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xBA3A0000 \SystemRoot\System32\Drivers\Msfs.SYS 0xBA3B8000 \SystemRoot\System32\Drivers\Npfs.SYS 0xBA598000 \SystemRoot\system32\DRIVERS\rasacd.sys 0xAD08A000 \SystemRoot\system32\DRIVERS\ipsec.sys 0xAD031000 \SystemRoot\system32\DRIVERS\tcpip.sys 0xACF91000 \SystemRoot\system32\DRIVERS\netbt.sys 0xACF6B000 \SystemRoot\system32\DRIVERS\ipnat.sys 0xBA128000 \SystemRoot\system32\DRIVERS\wanarp.sys 0xACF49000 \SystemRoot\System32\drivers\afd.sys 0xBA138000 \SystemRoot\system32\DRIVERS\netbios.sys 0xBA3E8000 \SystemRoot\System32\drivers\Tppwrif.sys 0xBA148000 \SystemRoot\System32\Drivers\tcusb.sys 0xBA440000 \SystemRoot\system32\DRIVERS\TPHKDRV.sys 0xACE5E000 \SystemRoot\system32\DRIVERS\rdbss.sys 0xACDEE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0xBA5EA000 \SystemRoot\system32\DRIVERS\smiif32.sys 0xBA5EE000 \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys 0xBA158000 \SystemRoot\System32\Drivers\Fips.SYS 0xAD02D000 \SystemRoot\System32\drivers\ANC.SYS 0xBA188000 \SystemRoot\System32\Drivers\Cdfs.SYS 0xACD06000 \SystemRoot\System32\Drivers\dump_iaStor.sys 0xBF800000 \SystemRoot\System32\win32k.sys 0xB9C99000 \SystemRoot\System32\drivers\Dxapi.sys 0xBA3D0000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xBA7CB000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF012000 \SystemRoot\System32\ati2dvag.dll 0xBF065000 \SystemRoot\System32\ati2cqag.dll 0xBF0FE000 \SystemRoot\System32\atikvmag.dll 0xBF182000 \SystemRoot\System32\atiok3x2.dll 0xBF1CD000 \SystemRoot\System32\ati3duag.dll 0xBF572000 \SystemRoot\System32\ativvaxx.dll 0xBF9C6000 \SystemRoot\System32\ATMFD.DLL 0xAA0C7000 \SystemRoot\system32\DRIVERS\irda.sys 0xBA4D8000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0xACFED000 \SystemRoot\system32\DRIVERS\s24trans.sys 0xA8DC8000 \SystemRoot\system32\drivers\wdmaud.sys 0xA8D9B000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0xA8E5D000 \SystemRoot\system32\drivers\sysaudio.sys 0xA883D000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys 0xA86D5000 \SystemRoot\system32\DRIVERS\srv.sys 0xA8051000 \SystemRoot\System32\Drivers\HTTP.sys 0xBA360000 \??\C:\ComboFix\catchme.sys 0xBA5BC000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 0xAA305000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS 0xA7586000 \SystemRoot\System32\Drivers\Fastfat.SYS 0xA755B000 \SystemRoot\system32\drivers\kmixer.sys 0x7C900000 \WINDOWS\system32\ntdll.dll Processes (total 64): 0 System Idle Process 4 System 1032 C:\WINDOWS\system32\smss.exe 1080 csrss.exe 1112 C:\WINDOWS\system32\winlogon.exe 1156 C:\WINDOWS\system32\services.exe 1168 C:\WINDOWS\system32\lsass.exe 1336 C:\WINDOWS\system32\ibmpmsvc.exe 1388 C:\WINDOWS\system32\ati2evxx.exe 1408 C:\WINDOWS\system32\svchost.exe 1484 svchost.exe 1540 C:\WINDOWS\system32\svchost.exe 1720 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe 1744 C:\WINDOWS\system32\ati2evxx.exe 1868 svchost.exe 1944 svchost.exe 712 C:\WINDOWS\system32\spoolsv.exe 768 svchost.exe 868 C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe 912 C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe 1632 C:\WINDOWS\system32\acs.exe 1476 C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe 240 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe 488 wmiprvse.exe 1008 C:\Program Files\Bonjour\mDNSResponder.exe 1024 C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE 908 C:\Program Files\Intel\WiFi\bin\EvtEng.exe 2232 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe 2288 C:\Program Files\Java\jre6\bin\jqs.exe 2636 C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe 2700 C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe 2756 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe 3024 C:\WINDOWS\system32\svchost.exe 3128 tvttcsd.exe 3216 unsecapp.exe 3284 C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe 3684 C:\WINDOWS\system32\wscntfy.exe 688 alg.exe 2864 C:\Program Files\Analog Devices\Core\smax4pnp.exe 2904 C:\WINDOWS\system32\igfxsrvc.exe 3040 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 3168 C:\WINDOWS\system32\rundll32.exe 3272 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe 3364 C:\Program Files\Lenovo\Client Security Solution\cssauth.exe 3032 C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe 3400 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe 3276 C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe 3456 C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.EXE 3464 C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe 3524 C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.EXE 3552 C:\Program Files\Lenovo\ZOOM\TpScrex.exe 3592 C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE 3484 C:\Program Files\iTunes\iTunesHelper.exe 3072 C:\WINDOWS\system32\igfxext.exe 2204 C:\Program Files\Common Files\Java\Java Update\jusched.exe 4020 C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe 4056 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe 1608 C:\WINDOWS\system32\svchost.exe 1524 C:\Program Files\iPod\bin\iPodService.exe 3976 C:\WINDOWS\explorer.exe 3448 C:\WINDOWS\system32\svchost.exe 364 C:\Program Files\Internet Explorer\iexplore.exe 3776 C:\WINDOWS\system32\ctfmon.exe 376 C:\Documents and Settings\Dean Nicholson\Desktop\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS) PhysicalDrive0 Model Number: HTS721010G9SA00, Rev: MCZIC10V Size Device Name MBR Status -------------------------------------------- 93 GB \\.\PhysicalDrive0 MBR Code Faked! SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979 Found non-standard or infected MBR. Enter 'Y' and hit ENTER for more options, or 'N' to exit: Done! C:\Documents and Settings\Dean Nicholson\Application Data\Sun\Java\Deployment\cache\6.0\30\6d45e41e-7cc0c7bd Java/Exploit.CVE-2011-3544.H trojan C:\Documents and Settings\Dean Nicholson\Local Settings\Temporary Internet Files\Content.IE5\UN98AFDT\score[1].swf SWF/Exploit.Agent.CY trojan C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\gCewtKdyITBp.exe.vir a variant of Win32/Kryptik.YCG trojan C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\GZzviPbdBiShIt.exe.vir a variant of Win32/Kryptik.YCG trojan C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\YXXTxtXBks.exe.vir a variant of Win32/Kryptik.YGB trojan C:\System Volume Information\_restore{49958B21-B9D7-4D32-8066-483A17B38D14}\RP146\A0013533.exe a variant of Win32/Kryptik.YCG trojan C:\System Volume Information\_restore{49958B21-B9D7-4D32-8066-483A17B38D14}\RP146\A0013534.exe a variant of Win32/Kryptik.YCG trojan C:\System Volume Information\_restore{49958B21-B9D7-4D32-8066-483A17B38D14}\RP146\A0013535.exe a variant of Win32/Kryptik.YGB trojan

#10 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 30 December 2011 - 05:11 PM

Most of those files are in Quarantine and not harmless, we will deal with those in where done.

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Your Master Boot Record may be infected, not sure, let me see a new log please

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

Advertisements

Register to Remove

#11 Dean N

Authentic Member

Authentic Member
152 posts

Posted 30 December 2011 - 06:43 PM

#12 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 30 December 2011 - 07:38 PM

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\Documents and Settings\Dean Nicholson\Local Settings\Application Data\pjq.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#13 Dean N

Authentic Member

Authentic Member
152 posts

Posted 30 December 2011 - 08:56 PM

ComboFix 11-12-30.02 - Dean Nicholson 12/30/2011 21:05:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2423 [GMT -5:00]
Running from: c:\documents and settings\Dean Nicholson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dean Nicholson\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Dean Nicholson\Local Settings\Application Data\pjq.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dean Nicholson\Local Settings\Application Data\pjq.exe
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\dxdiag.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
.
.
2011-12-30 19:28 . 2011-12-30 19:28 -------- d-----w- c:\program files\ESET
2011-12-30 12:21 . 2011-12-30 12:21 -------- d-----w- c:\windows\system32\LogFiles
2011-12-30 01:16 . 2011-12-30 01:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Skype
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-12-18 21:32 . 2011-12-18 21:32 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Yahoo!
2011-12-18 21:29 . 2011-12-23 05:00 -------- d-----w- c:\program files\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 00:19 . 2011-07-01 01:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-07-01 02:22 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2010-08-30 18:15 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2010-08-30 18:15 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-08-30 18:15 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-08-30 18:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-08-30 18:15 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2010-08-30 18:15 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-08-30 18:15 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2010-08-30 18:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-08-30 18:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:31 . 2011-07-02 02:13 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 12:31 . 2011-07-02 02:13 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-30_16.59.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-31 00:52 . 2011-12-31 00:52 16384 c:\windows\Temp\Perflib_Perfdata_428.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2011-07-03 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-05-12 517480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-22 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-04-22 181608]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\B]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/31/2010 12:26 PM 24304]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/1/2010 11:16 AM 13480]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/31/2010 12:26 PM 132456]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [10/10/2011 7:32 AM 196912]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/31/2010 12:26 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/1/2010 11:16 AM 63928]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 2:54 PM 37312]
S2 B;B;c:\windows\system32\svchost.exe -k netsvcs [8/30/2010 1:15 PM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/1/2010 11:16 AM 45496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 3:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 2:42 PM 73600]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
B
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004Core.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004UA.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2011-12-31 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-08-31 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-30 21:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\B]
"servicedll"="\\.\globalroot\Device\HarddiskVolume1\DOCUME~1\DEANNI~1\LOCALS~1\Temp\B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1108)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-12-30 21:47:58
ComboFix-quarantined-files.txt 2011-12-31 02:47
ComboFix2.txt 2011-12-30 17:15
.
Pre-Run: 79,653,384,192 bytes free
Post-Run: 79,738,224,640 bytes free
.
- - End Of File - - C69DB9BC0266F448E5CC8EACB82E3B10

#14 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 31 December 2011 - 05:26 AM

Good Morning,

How are things running now, any redirects ?

I am trying to determine if your Master Boot Record is infected, when you ran aswMBR it should have dropped two files on your desktop, but I only see one, one should be aswMBR.txt ( which is the report ) and the other should be MBR.dat, do you see MBR.dat ?

Please download TDSSKiller.zip

Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#15 Dean N

Authentic Member

Authentic Member
152 posts

Posted 31 December 2011 - 08:31 AM

Good Morning! I'm still getting redirects. I also have a shortcut button in the tray that's named "System Check" (name appears when hovering over it). Its target is: "C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\GZzviPbdBiShIt.exe.vir" I ran a few searches for MBR.dat and couldn't find it. I don't recall seeing another file on my desktop. But there was a weird lag in having things appear on my desktop after putting them there though.. not sure if that means anything. I downloaded TDSSKiller.zip to desktop, extracted it, and there's two files in the folder (eula and TDSSKiller). The latter is an application, not an .exe file. There is no .exe file anywhere, neither in the zipped or extracted folders. When I try to run it by clicking on TDSSKiller, nothing happens. I had this issue once or twice before in this process, but managed to make things work. This time, not so much.... :rant2:

Body Background

skin color theme