This topic is lockedAttached Files
-
mbr.zip 565bytes
281 downloads
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93124 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Infection: "system-check.com" [Solved]
Started by
Dean N
, Dec 27 2011 10:34 PM
133 replies to this topic
Register to Remove
#32
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 01 January 2012 - 05:16 PM
Go ahead and submit it to Jotti and in the meantime I will have it analysed here
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#33
Dean N
-
- Authentic Member
-
- 152 posts
Authentic Member
Posted 01 January 2012 - 05:32 PM
Jotti found nothing on mbr.bin.
#34
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 02 January 2012 - 02:14 AM
Hello Dean,
I had mbr.bin analysed by experts, malware is pretty sneeky, whats happening is that this infection has created a hidden partition on on your MBR thats infected, your actually MBR is fine but malware directs windows to boot from the hidden infected partition, thats why scanners like Jotti and such and not finding anything because that infected partition is hidden. xPud can fix this, what it will do is change the boot order so that your computer will boot to the regular MBR, and once that happens then we will use xPud again to remove that infected hidden partition. Hope this makes sense to you, I am going to ask the author of xPud to step in and offer some help so that we do this correctly, so again thanks for your patience and just hang in, I will be back as soon as I can.
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#35
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 02 January 2012 - 09:37 AM
Dean, this fix is going to be using xPud and will be in two parts, the first part is going to change the boot order and make the legit MBR as the active partition so that your computer will boot normally and not from the infected hidden partition.
When all is well the second part using xPud will search for and remove the hidden infected partition, please note the instructions as there is a recovery option if you should run into problems. What you need to do is print this out and keep it handy so you can follow the instructions real well.
From one of our experts
If you used xPUD I suggest you use tdl_fix to set the 1st partition as active. Remeber using tdl_fix you can always reverse the change if the OP has problems providing you don't remove the rogue partition untill you are sure the machine boots properly. The tool will ask and confirm the OP's choices plus warn if an unbootable partition is selected.
What your going to do is download that file to your flash drive and keep the drive plugged in, then boot to the xPud bootable CD that you made
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.
When all is well the second part using xPud will search for and remove the hidden infected partition, please note the instructions as there is a recovery option if you should run into problems. What you need to do is print this out and keep it handy so you can follow the instructions real well.
From one of our experts
If you used xPUD I suggest you use tdl_fix to set the 1st partition as active. Remeber using tdl_fix you can always reverse the change if the OP has problems providing you don't remove the rogue partition untill you are sure the machine boots properly. The tool will ask and confirm the OP's choices plus warn if an unbootable partition is selected.
What your going to do is download that file to your flash drive and keep the drive plugged in, then boot to the xPud bootable CD that you made
- Download tdl_fix.sh and save it to the xPUD flash drive.
- Boot into xPUD then click the File tab.
- Press File
- Expand mnt
- Click on the folder under mnt that represents your USB drive (sdb1 ?)
- You should see the tdl_fix.sh file in the main window.
- Select Tool from the Menu
- Choose Open Terminal
- Type bash tdl_fix.sh then press Enter.
- Read the warning then type y and press Enter to continue.
- Type sda then press Enter when prompted.
- You will be shown a list of partitions to choose marking active.
- Type 1 then press Enter.
- If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
- When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
- The script will complete and prompt you to reboot the computer.
- Close the Terminal window and restart back into Windows.
- Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#36
Dean N
-
- Authentic Member
-
- 152 posts
Authentic Member
Posted 02 January 2012 - 10:49 AM
Assistant
Edit: Looks like this is a redirect.. I'm scanning with Malwarebytes.
I really hope this is just my non-computer-savvy skills here... this links me to a weird-looking search site (on my good machine!) called NetAssistant that shows some malware forum links, but apparently no way to download this next bit I need....[*]Download tdl_fix.sh and save it to the xPUD flash drive.
Edit: Looks like this is a redirect.. I'm scanning with Malwarebytes.
Edited by Dean N, 02 January 2012 - 10:58 AM.
#37
oldman960
-
- Retired Classroom Teacher
-
- 14,770 posts
Forum God
Posted 02 January 2012 - 11:53 AM
Hi Dean N,
Just popping in. There does seem to be a problem with the link. Try this one instead LINK
Back to you Ken.
Just popping in. There does seem to be a problem with the link. Try this one instead LINK
Back to you Ken.
Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself
Microsoft MVP 2011-2015
Threads will be closed if no response after 5 days.
#38
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 02 January 2012 - 02:04 PM
Sorry guys, was unaware of the bad link. I am part of the University of Florida alumi and we had a get together this afternoon for the Gator Bowl and when I got there we all found out that the lady that runs the Connecticut Gator Club was killed last night in Vermont on a skiing trip, has not been a pleasant day
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#39
Dean N
-
- Authentic Member
-
- 152 posts
Authentic Member
Posted 02 January 2012 - 02:37 PM
Sorry to hear that Ken.
I got tdl_fix to work just fine, computer rebooted ok as well. It seems to be behaving pretty much the same though.
tdl_fix.txt:
2012-01-02-15:24:27
The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin
Disk /dev/sda: 100.0 GB, 100030242816 bytes
255 heads, 63 sectors/track, 12161 cylinders, total 195371568 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/sda1 2048 186691583 93344768 7 HPFS/NTFS
Partition 1 does not end on cylinder boundary
/dev/sda2 186691584 195368959 4338688 13 Unknown
Partition 2 does not end on cylinder boundary
/dev/sda3 * 195368960 195371551 1296 17 Hidden HPFS/NTFS
Model: ATA HTS721010G9SA00 (scsi)
Disk /dev/sda: 100GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 1049kB 95.6GB 95.6GB primary ntfs
2 95.6GB 100GB 4443MB primary ntfs
3 100GB 100GB 1327kB primary ntfs boot, hidden
User has chosen to make partition 1 active
Model: ATA HTS721010G9SA00 (scsi)
Disk /dev/sda: 100GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 1049kB 95.6GB 95.6GB primary ntfs boot
2 95.6GB 100GB 4443MB primary ntfs
3 100GB 100GB 1327kB primary ntfs hidden
User has accepted changes
I got tdl_fix to work just fine, computer rebooted ok as well. It seems to be behaving pretty much the same though.
tdl_fix.txt:
2012-01-02-15:24:27
The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin
Disk /dev/sda: 100.0 GB, 100030242816 bytes
255 heads, 63 sectors/track, 12161 cylinders, total 195371568 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/sda1 2048 186691583 93344768 7 HPFS/NTFS
Partition 1 does not end on cylinder boundary
/dev/sda2 186691584 195368959 4338688 13 Unknown
Partition 2 does not end on cylinder boundary
/dev/sda3 * 195368960 195371551 1296 17 Hidden HPFS/NTFS
Model: ATA HTS721010G9SA00 (scsi)
Disk /dev/sda: 100GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 1049kB 95.6GB 95.6GB primary ntfs
2 95.6GB 100GB 4443MB primary ntfs
3 100GB 100GB 1327kB primary ntfs boot, hidden
User has chosen to make partition 1 active
Model: ATA HTS721010G9SA00 (scsi)
Disk /dev/sda: 100GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 1049kB 95.6GB 95.6GB primary ntfs boot
2 95.6GB 100GB 4443MB primary ntfs
3 100GB 100GB 1327kB primary ntfs hidden
User has accepted changes
#40
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 02 January 2012 - 04:44 PM
Dean, the infected partition is not active so should not be causing problems at this point, we will remove it in a bit. Drag both Combofix and aswMBR to the trash and lets get fresh new copies and run them and post the logs please
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
Register to Remove
#41
Dean N
-
- Authentic Member
-
- 152 posts
Authentic Member
Posted 02 January 2012 - 05:23 PM
I'm actually posting this from the infected computer! Yay for progress!
aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-02 17:56:58
-----------------------------
17:56:58.046 OS Version: Windows 5.1.2600 Service Pack 3
17:56:58.046 Number of processors: 2 586 0xF06
17:56:58.062 ComputerName: D2 UserName:
17:56:58.421 Initialize success
17:57:06.625 AVAST engine defs: 12010100
17:57:14.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:57:14.734 Disk 0 Vendor: HTS72101 MCZI Size: 95396MB BusType: 3
17:57:14.765 Disk 0 MBR read successfully
17:57:14.765 Disk 0 MBR scan
17:57:14.781 Disk 0 Windows VISTA default MBR code
17:57:14.796 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 91157 MB offset 2048
17:57:14.843 Disk 0 Partition 2 00 13 NTFS 4237 MB offset 186691584
17:57:14.859 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 195368960
17:57:14.859 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
17:57:14.875 Disk 0 scanning sectors +195371552
17:57:15.062 Disk 0 scanning C:\WINDOWS\system32\drivers
17:57:22.437 Service scanning
17:57:23.625 Modules scanning
17:57:31.359 Disk 0 trace - called modules:
17:57:31.390 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
17:57:31.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af2fab8]
17:57:31.390 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000087[0x8af31910]
17:57:31.406 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8af47030]
17:57:32.000 AVAST engine scan C:\WINDOWS
17:57:34.406 AVAST engine scan C:\WINDOWS\system32
17:58:40.828 File: C:\WINDOWS\system32\dplaysvr.exe **HIDDEN**
17:58:40.875 File: C:\WINDOWS\system32\dplayx.dll **HIDDEN**
17:58:41.484 AVAST engine scan C:\WINDOWS\system32\drivers
17:58:48.843 AVAST engine scan C:\Documents and Settings\Dean Nicholson
18:00:02.078 File: C:\Documents and Settings\Dean Nicholson\Application Data\dplaysvr.exe **INFECTED** Win32:FakeAlert-BUE [Trj]
18:00:02.078 File: C:\Documents and Settings\Dean Nicholson\Application Data\dplaysvr.exe **HIDDEN**
18:00:02.203 File: C:\Documents and Settings\Dean Nicholson\Application Data\dplayx.dll **INFECTED** Win32:Malware-gen
18:00:02.218 File: C:\Documents and Settings\Dean Nicholson\Application Data\dplayx.dll **HIDDEN**
18:00:04.343 AVAST engine scan C:\Documents and Settings\All Users
18:00:04.937 File: C:\Documents and Settings\All Users\Application Data\gfhYdHclcK.exe **INFECTED** Win32:FakeAlert-BUJ [Trj]
18:00:06.890 File: C:\Documents and Settings\All Users\Application Data\yTzdO8xepWwmID.exe **INFECTED** Win32:FakeAlert-BUJ [Trj]
18:00:07.281 File: C:\Documents and Settings\All Users\Documents\19792079 **INFECTED** Win32:Kryptik-GHE [Trj]
18:00:07.921 Scan finished successfully
18:01:41.531 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
18:01:41.546 The log file has been saved successfully to "E:\aswMBR3.txt"
ComboFix 12-01-02.01 - Dean Nicholson 01/02/2012 18:08:36.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2384 [GMT -5:00]
Running from: c:\documents and settings\Dean Nicholson\My Documents\ComboFix.exe
.
The following files were disabled during the run:
c:\documents and settings\Dean Nicholson\Application Data\dplayx.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~yTzdO8xepWwmID
c:\documents and settings\All Users\Application Data\~yTzdO8xepWwmIDr
c:\documents and settings\All Users\Application Data\aehuaaa.tmp
c:\documents and settings\All Users\Application Data\asluaaa.tmp
c:\documents and settings\All Users\Application Data\bsluaaa.tmp
c:\documents and settings\All Users\Application Data\csluaaa.tmp
c:\documents and settings\All Users\Application Data\dsluaaa.tmp
c:\documents and settings\All Users\Application Data\esluaaa.tmp
c:\documents and settings\All Users\Application Data\gfhYdHclcK.exe
c:\documents and settings\All Users\Application Data\griuaaa.tmp
c:\documents and settings\All Users\Application Data\hriuaaa.tmp
c:\documents and settings\All Users\Application Data\iriuaaa.tmp
c:\documents and settings\All Users\Application Data\jriuaaa.tmp
c:\documents and settings\All Users\Application Data\kriuaaa.tmp
c:\documents and settings\All Users\Application Data\qekuaaa.tmp
c:\documents and settings\All Users\Application Data\rekuaaa.tmp
c:\documents and settings\All Users\Application Data\sekuaaa.tmp
c:\documents and settings\All Users\Application Data\tekuaaa.tmp
c:\documents and settings\All Users\Application Data\uekuaaa.tmp
c:\documents and settings\All Users\Application Data\wdhuaaa.tmp
c:\documents and settings\All Users\Application Data\xdhuaaa.tmp
c:\documents and settings\All Users\Application Data\ydhuaaa.tmp
c:\documents and settings\All Users\Application Data\yTzdO8xepWwmID
c:\documents and settings\All Users\Application Data\yTzdO8xepWwmID.exe
c:\documents and settings\All Users\Application Data\zdhuaaa.tmp
c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe
c:\documents and settings\Dean Nicholson\Application Data\dplayx.dll.vir
c:\documents and settings\Dean Nicholson\Local Settings\Application Data\lby.exe
c:\documents and settings\Dean Nicholson\Local Settings\Application Data\tsf.exe
c:\windows\expl.dat
c:\windows\system32\dllc.dat
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 22:55 . 2012-01-01 17:17 4702720 ----a-w- C:\aswMBR.exe
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-01 00:31 . 2012-01-01 00:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-01 00:29 . 2012-01-01 00:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-30 19:28 . 2011-12-30 19:28 -------- d--h--w- c:\program files\ESET
2011-12-30 12:21 . 2012-01-01 06:39 -------- d--h--w- c:\windows\system32\LogFiles
2011-12-30 01:16 . 2011-12-30 01:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-21 00:36 . 2011-12-29 01:52 -------- d--h--w- c:\documents and settings\Dean Nicholson\Application Data\Skype
2011-12-21 00:36 . 2011-12-29 01:52 -------- d--h--w- c:\documents and settings\All Users\Application Data\Skype
2011-12-18 21:32 . 2011-12-18 21:32 -------- d--h--w- c:\documents and settings\Dean Nicholson\Application Data\Yahoo!
2011-12-18 21:29 . 2011-12-23 05:00 -------- d--h--w- c:\program files\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 00:19 . 2011-07-01 01:56 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-07-01 02:22 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2010-08-30 18:15 1859584 ---ha-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2010-08-30 18:15 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-08-30 18:15 43520 ---h--w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-08-30 18:15 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-08-30 18:15 385024 ---h--w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2010-08-30 18:15 1288704 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-08-30 18:15 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2010-08-30 18:15 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-08-30 18:26 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:31 . 2011-07-02 02:13 17712 ---ha-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 12:31 . 2011-07-02 02:13 26416 ---ha-w- c:\windows\system32\nitrolocalmon2.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-08-21 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-08-21 . 1300F6682BEA386767AE2A7C6C2DDCA7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2008-08-21 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-08-21 . ECD453C1AD7D2FF9448C24A65642FE17 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2008-08-21 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-08-21 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2011-07-03 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-05-12 517480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-22 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-04-22 181608]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\B]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/31/2010 12:26 PM 24304]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/1/2010 11:16 AM 13480]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/31/2010 12:26 PM 132456]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [10/10/2011 7:32 AM 196912]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/31/2010 12:26 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/1/2010 11:16 AM 63928]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 2:54 PM 37312]
S2 B;B;c:\windows\system32\svchost.exe -k netsvcs [8/30/2010 1:15 PM 39936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/1/2010 11:16 AM 45496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 3:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 2:42 PM 73600]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
B
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004Core.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004UA.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-02 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-08-31 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-dplaysvr - c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe
HKLM-Run-gfhYdHclcK.exe - c:\documents and settings\All Users\Application Data\gfhYdHclcK.exe
HKLM-Run-dplaysvr - c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 18:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\B]
"servicedll"="\\.\globalroot\Device\HarddiskVolume1\DOCUME~1\DEANNI~1\LOCALS~1\Temp\B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1096)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\igfxext.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-02 18:16:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-02 23:16
.
Pre-Run: 81,837,703,168 bytes free
Post-Run: 81,900,290,048 bytes free
.
- - End Of File - - C4B1ED37308E996E9C4A242115F215C7
aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-02 17:56:58
-----------------------------
17:56:58.046 OS Version: Windows 5.1.2600 Service Pack 3
17:56:58.046 Number of processors: 2 586 0xF06
17:56:58.062 ComputerName: D2 UserName:
17:56:58.421 Initialize success
17:57:06.625 AVAST engine defs: 12010100
17:57:14.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:57:14.734 Disk 0 Vendor: HTS72101 MCZI Size: 95396MB BusType: 3
17:57:14.765 Disk 0 MBR read successfully
17:57:14.765 Disk 0 MBR scan
17:57:14.781 Disk 0 Windows VISTA default MBR code
17:57:14.796 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 91157 MB offset 2048
17:57:14.843 Disk 0 Partition 2 00 13 NTFS 4237 MB offset 186691584
17:57:14.859 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 195368960
17:57:14.859 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
17:57:14.875 Disk 0 scanning sectors +195371552
17:57:15.062 Disk 0 scanning C:\WINDOWS\system32\drivers
17:57:22.437 Service scanning
17:57:23.625 Modules scanning
17:57:31.359 Disk 0 trace - called modules:
17:57:31.390 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
17:57:31.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af2fab8]
17:57:31.390 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000087[0x8af31910]
17:57:31.406 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8af47030]
17:57:32.000 AVAST engine scan C:\WINDOWS
17:57:34.406 AVAST engine scan C:\WINDOWS\system32
17:58:40.828 File: C:\WINDOWS\system32\dplaysvr.exe **HIDDEN**
17:58:40.875 File: C:\WINDOWS\system32\dplayx.dll **HIDDEN**
17:58:41.484 AVAST engine scan C:\WINDOWS\system32\drivers
17:58:48.843 AVAST engine scan C:\Documents and Settings\Dean Nicholson
18:00:02.078 File: C:\Documents and Settings\Dean Nicholson\Application Data\dplaysvr.exe **INFECTED** Win32:FakeAlert-BUE [Trj]
18:00:02.078 File: C:\Documents and Settings\Dean Nicholson\Application Data\dplaysvr.exe **HIDDEN**
18:00:02.203 File: C:\Documents and Settings\Dean Nicholson\Application Data\dplayx.dll **INFECTED** Win32:Malware-gen
18:00:02.218 File: C:\Documents and Settings\Dean Nicholson\Application Data\dplayx.dll **HIDDEN**
18:00:04.343 AVAST engine scan C:\Documents and Settings\All Users
18:00:04.937 File: C:\Documents and Settings\All Users\Application Data\gfhYdHclcK.exe **INFECTED** Win32:FakeAlert-BUJ [Trj]
18:00:06.890 File: C:\Documents and Settings\All Users\Application Data\yTzdO8xepWwmID.exe **INFECTED** Win32:FakeAlert-BUJ [Trj]
18:00:07.281 File: C:\Documents and Settings\All Users\Documents\19792079 **INFECTED** Win32:Kryptik-GHE [Trj]
18:00:07.921 Scan finished successfully
18:01:41.531 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
18:01:41.546 The log file has been saved successfully to "E:\aswMBR3.txt"
ComboFix 12-01-02.01 - Dean Nicholson 01/02/2012 18:08:36.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2384 [GMT -5:00]
Running from: c:\documents and settings\Dean Nicholson\My Documents\ComboFix.exe
.
The following files were disabled during the run:
c:\documents and settings\Dean Nicholson\Application Data\dplayx.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~yTzdO8xepWwmID
c:\documents and settings\All Users\Application Data\~yTzdO8xepWwmIDr
c:\documents and settings\All Users\Application Data\aehuaaa.tmp
c:\documents and settings\All Users\Application Data\asluaaa.tmp
c:\documents and settings\All Users\Application Data\bsluaaa.tmp
c:\documents and settings\All Users\Application Data\csluaaa.tmp
c:\documents and settings\All Users\Application Data\dsluaaa.tmp
c:\documents and settings\All Users\Application Data\esluaaa.tmp
c:\documents and settings\All Users\Application Data\gfhYdHclcK.exe
c:\documents and settings\All Users\Application Data\griuaaa.tmp
c:\documents and settings\All Users\Application Data\hriuaaa.tmp
c:\documents and settings\All Users\Application Data\iriuaaa.tmp
c:\documents and settings\All Users\Application Data\jriuaaa.tmp
c:\documents and settings\All Users\Application Data\kriuaaa.tmp
c:\documents and settings\All Users\Application Data\qekuaaa.tmp
c:\documents and settings\All Users\Application Data\rekuaaa.tmp
c:\documents and settings\All Users\Application Data\sekuaaa.tmp
c:\documents and settings\All Users\Application Data\tekuaaa.tmp
c:\documents and settings\All Users\Application Data\uekuaaa.tmp
c:\documents and settings\All Users\Application Data\wdhuaaa.tmp
c:\documents and settings\All Users\Application Data\xdhuaaa.tmp
c:\documents and settings\All Users\Application Data\ydhuaaa.tmp
c:\documents and settings\All Users\Application Data\yTzdO8xepWwmID
c:\documents and settings\All Users\Application Data\yTzdO8xepWwmID.exe
c:\documents and settings\All Users\Application Data\zdhuaaa.tmp
c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe
c:\documents and settings\Dean Nicholson\Application Data\dplayx.dll.vir
c:\documents and settings\Dean Nicholson\Local Settings\Application Data\lby.exe
c:\documents and settings\Dean Nicholson\Local Settings\Application Data\tsf.exe
c:\windows\expl.dat
c:\windows\system32\dllc.dat
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 22:55 . 2012-01-01 17:17 4702720 ----a-w- C:\aswMBR.exe
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-01 00:31 . 2012-01-01 00:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-01 00:29 . 2012-01-01 00:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-30 19:28 . 2011-12-30 19:28 -------- d--h--w- c:\program files\ESET
2011-12-30 12:21 . 2012-01-01 06:39 -------- d--h--w- c:\windows\system32\LogFiles
2011-12-30 01:16 . 2011-12-30 01:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-21 00:36 . 2011-12-29 01:52 -------- d--h--w- c:\documents and settings\Dean Nicholson\Application Data\Skype
2011-12-21 00:36 . 2011-12-29 01:52 -------- d--h--w- c:\documents and settings\All Users\Application Data\Skype
2011-12-18 21:32 . 2011-12-18 21:32 -------- d--h--w- c:\documents and settings\Dean Nicholson\Application Data\Yahoo!
2011-12-18 21:29 . 2011-12-23 05:00 -------- d--h--w- c:\program files\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 00:19 . 2011-07-01 01:56 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-07-01 02:22 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2010-08-30 18:15 1859584 ---ha-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2010-08-30 18:15 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-08-30 18:15 43520 ---h--w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-08-30 18:15 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-08-30 18:15 385024 ---h--w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2010-08-30 18:15 1288704 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-08-30 18:15 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ---ha-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2010-08-30 18:15 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-08-30 18:26 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:31 . 2011-07-02 02:13 17712 ---ha-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 12:31 . 2011-07-02 02:13 26416 ---ha-w- c:\windows\system32\nitrolocalmon2.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-08-21 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-08-21 . 1300F6682BEA386767AE2A7C6C2DDCA7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2008-08-21 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-08-21 . ECD453C1AD7D2FF9448C24A65642FE17 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2008-08-21 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-08-21 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2011-07-03 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-05-12 517480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-22 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-04-22 181608]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\B]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/31/2010 12:26 PM 24304]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/1/2010 11:16 AM 13480]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/31/2010 12:26 PM 132456]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [10/10/2011 7:32 AM 196912]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/31/2010 12:26 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/1/2010 11:16 AM 63928]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 2:54 PM 37312]
S2 B;B;c:\windows\system32\svchost.exe -k netsvcs [8/30/2010 1:15 PM 39936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/1/2010 11:16 AM 45496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 3:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 2:42 PM 73600]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
B
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004Core.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004UA.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-02 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-08-31 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-dplaysvr - c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe
HKLM-Run-gfhYdHclcK.exe - c:\documents and settings\All Users\Application Data\gfhYdHclcK.exe
HKLM-Run-dplaysvr - c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 18:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\B]
"servicedll"="\\.\globalroot\Device\HarddiskVolume1\DOCUME~1\DEANNI~1\LOCALS~1\Temp\B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1096)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\igfxext.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-02 18:16:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-02 23:16
.
Pre-Run: 81,837,703,168 bytes free
Post-Run: 81,900,290,048 bytes free
.
- - End Of File - - C4B1ED37308E996E9C4A242115F215C7
#42
Dean N
-
- Authentic Member
-
- 152 posts
Authentic Member
Posted 02 January 2012 - 06:20 PM
Quick FYI: IE pages are locking up (freezing), and search engines are still being interfered with (google fails to populate with suggested sites, but thankfully there is no redirect). I still have a "system check" button down in the tray. I now have access to the task manager and the desktop.
#43
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 02 January 2012 - 06:24 PM
Wow, you have a real mess going on 
You need the 32 bit version
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64 Bit Version
You need the 32 bit version
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64 Bit Version
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:reg [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\B]
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
FCopy:: c:\windows\ERDNT\cache\explorer.exe | c:\windows\explorer.exe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#44
Dean N
-
- Authentic Member
-
- 152 posts
Authentic Member
Posted 02 January 2012 - 06:57 PM
Why thank you! 
I seem to be talented at jacking up my laptop.
SystemLook 30.07.11 by jpshortstuff
Log created at 19:34 on 02/01/2012 by Dean Nicholson
Administrator - Elevation successful
========== reg ==========
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\B]
"imagepath"="%systemroot%\system32\svchost.exe -k netsvcs"
"objectname"="LocalSystem"
"errorcontrol"= 0x0000000001 (1)
"start"= 0x0000000002 (2)
"type"= 0x0000000020 (32)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\B\parameters]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\B\Enum]
-= EOF =-
ComboFix 12-01-02.02 - Dean Nicholson 01/02/2012 19:40:51.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2391 [GMT -5:00]
Running from: c:\documents and settings\Dean Nicholson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dean Nicholson\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\expl.dat
c:\windows\OLD15.tmp
c:\windows\OLD19.tmp
c:\windows\OLD1D.tmp
c:\windows\OLD21.tmp
c:\windows\OLD25.tmp
c:\windows\OLD29.tmp
c:\windows\OLD2D.tmp
c:\windows\OLD31.tmp
c:\windows\OLD35.tmp
c:\windows\OLD39.tmp
c:\windows\OLD3D.tmp
c:\windows\OLD41.tmp
c:\windows\TEMP\win13.tmp
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
--------------- FCopy ---------------
.
c:\windows\ERDNT\cache\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-03 00:40 . 2012-01-03 00:40 -------- d-----w- c:\windows\LastGood.Tmp
2012-01-02 22:55 . 2012-01-01 17:17 4702720 ----a-w- C:\aswMBR.exe
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-01 00:31 . 2012-01-01 00:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-01 00:29 . 2012-01-01 00:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-30 19:28 . 2011-12-30 19:28 -------- d-----w- c:\program files\ESET
2011-12-30 12:21 . 2012-01-01 06:39 -------- d-----w- c:\windows\system32\LogFiles
2011-12-30 01:16 . 2011-12-30 01:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Skype
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-12-18 21:32 . 2011-12-18 21:32 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Yahoo!
2011-12-18 21:29 . 2011-12-23 05:00 -------- d-----w- c:\program files\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-03 00:42 . 2010-08-30 18:15 1058816 ----a-w- c:\windows\explorer.exe
2011-12-28 00:19 . 2011-07-01 01:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-07-01 02:22 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2010-08-30 18:15 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2010-08-30 18:15 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-08-30 18:15 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-08-30 18:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-08-30 18:15 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2010-08-30 18:15 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-08-30 18:15 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2010-08-30 18:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-08-30 18:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:31 . 2011-07-02 02:13 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 12:31 . 2011-07-02 02:13 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-08-21 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-08-21 . 1300F6682BEA386767AE2A7C6C2DDCA7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2008-08-21 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-08-21 . ECD453C1AD7D2FF9448C24A65642FE17 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2012-01-03 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-08-21 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-01-02_23.12.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-02 23:44 . 2012-01-02 23:44 16384 c:\windows\Temp\Perflib_Perfdata_e94.dat
+ 2012-01-03 00:46 . 2012-01-03 00:46 16384 c:\windows\Temp\Perflib_Perfdata_dc8.dat
+ 2012-01-03 00:42 . 2012-01-03 00:42 14336 c:\windows\system32\svch.dat
+ 2010-08-30 18:15 . 2008-08-21 17:00 507904 c:\windows\system32\winl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2011-07-03 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-05-12 517480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-22 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-04-22 181608]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\B]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/31/2010 12:26 PM 24304]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/1/2010 11:16 AM 13480]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/31/2010 12:26 PM 132456]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [10/10/2011 7:32 AM 196912]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/31/2010 12:26 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/1/2010 11:16 AM 63928]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 2:54 PM 37312]
S2 B;B;c:\windows\system32\svchost.exe -k netsvcs [8/30/2010 1:15 PM 39936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/1/2010 11:16 AM 45496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 3:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 2:42 PM 73600]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
B
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004Core.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004UA.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-03 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-08-31 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 19:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\B]
"servicedll"="\\.\globalroot\Device\HarddiskVolume1\DOCUME~1\DEANNI~1\LOCALS~1\Temp\B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-02 19:49:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-03 00:49
ComboFix2.txt 2012-01-02 23:16
.
Pre-Run: 81,888,305,152 bytes free
Post-Run: 81,864,065,024 bytes free
.
- - End Of File - - 710E5D1FAD6F63131F58FFB9934E4EEE
I seem to be talented at jacking up my laptop.SystemLook 30.07.11 by jpshortstuff
Log created at 19:34 on 02/01/2012 by Dean Nicholson
Administrator - Elevation successful
========== reg ==========
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\B]
"imagepath"="%systemroot%\system32\svchost.exe -k netsvcs"
"objectname"="LocalSystem"
"errorcontrol"= 0x0000000001 (1)
"start"= 0x0000000002 (2)
"type"= 0x0000000020 (32)
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\B\parameters]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\B\Enum]
-= EOF =-
ComboFix 12-01-02.02 - Dean Nicholson 01/02/2012 19:40:51.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2391 [GMT -5:00]
Running from: c:\documents and settings\Dean Nicholson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dean Nicholson\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\expl.dat
c:\windows\OLD15.tmp
c:\windows\OLD19.tmp
c:\windows\OLD1D.tmp
c:\windows\OLD21.tmp
c:\windows\OLD25.tmp
c:\windows\OLD29.tmp
c:\windows\OLD2D.tmp
c:\windows\OLD31.tmp
c:\windows\OLD35.tmp
c:\windows\OLD39.tmp
c:\windows\OLD3D.tmp
c:\windows\OLD41.tmp
c:\windows\TEMP\win13.tmp
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
--------------- FCopy ---------------
.
c:\windows\ERDNT\cache\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-03 00:40 . 2012-01-03 00:40 -------- d-----w- c:\windows\LastGood.Tmp
2012-01-02 22:55 . 2012-01-01 17:17 4702720 ----a-w- C:\aswMBR.exe
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-01 00:31 . 2012-01-01 00:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-01 00:29 . 2012-01-01 00:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-30 19:28 . 2011-12-30 19:28 -------- d-----w- c:\program files\ESET
2011-12-30 12:21 . 2012-01-01 06:39 -------- d-----w- c:\windows\system32\LogFiles
2011-12-30 01:16 . 2011-12-30 01:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Skype
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-12-18 21:32 . 2011-12-18 21:32 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Yahoo!
2011-12-18 21:29 . 2011-12-23 05:00 -------- d-----w- c:\program files\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-03 00:42 . 2010-08-30 18:15 1058816 ----a-w- c:\windows\explorer.exe
2011-12-28 00:19 . 2011-07-01 01:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-07-01 02:22 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2010-08-30 18:15 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2010-08-30 18:15 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-08-30 18:15 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-08-30 18:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-08-30 18:15 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2010-08-30 18:15 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-08-30 18:15 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2010-08-30 18:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-08-30 18:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:31 . 2011-07-02 02:13 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 12:31 . 2011-07-02 02:13 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-08-21 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-08-21 . 1300F6682BEA386767AE2A7C6C2DDCA7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2008-08-21 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-08-21 . ECD453C1AD7D2FF9448C24A65642FE17 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2012-01-03 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-08-21 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-01-02_23.12.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-02 23:44 . 2012-01-02 23:44 16384 c:\windows\Temp\Perflib_Perfdata_e94.dat
+ 2012-01-03 00:46 . 2012-01-03 00:46 16384 c:\windows\Temp\Perflib_Perfdata_dc8.dat
+ 2012-01-03 00:42 . 2012-01-03 00:42 14336 c:\windows\system32\svch.dat
+ 2010-08-30 18:15 . 2008-08-21 17:00 507904 c:\windows\system32\winl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2011-07-03 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-05-12 517480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-22 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-04-22 181608]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\B]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/31/2010 12:26 PM 24304]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/1/2010 11:16 AM 13480]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/31/2010 12:26 PM 132456]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [10/10/2011 7:32 AM 196912]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/31/2010 12:26 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/1/2010 11:16 AM 63928]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 2:54 PM 37312]
S2 B;B;c:\windows\system32\svchost.exe -k netsvcs [8/30/2010 1:15 PM 39936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/1/2010 11:16 AM 45496]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 3:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 2:42 PM 73600]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
B
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004Core.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004UA.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-03 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-08-31 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 19:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\B]
"servicedll"="\\.\globalroot\Device\HarddiskVolume1\DOCUME~1\DEANNI~1\LOCALS~1\Temp\B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-02 19:49:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-03 00:49
ComboFix2.txt 2012-01-02 23:16
.
Pre-Run: 81,888,305,152 bytes free
Post-Run: 81,864,065,024 bytes free
.
- - End Of File - - 710E5D1FAD6F63131F58FFB9934E4EEE
#45
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 02 January 2012 - 07:09 PM
Lets go ahead and remove the infected partition, then I need to analyse the scans
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
Then lets see a new aswMBR log please
- Boot into xPUD then click the File tab.
- Press File
- Expand mnt
- Click on the folder under mnt that represents your USB drive (sdb1 ?)
- You should see the tdl_fix.sh file in the main window.
- Select Tool from the Menu
- Choose Open Terminal
- Type bash tdl_fix.sh -delete then press Enter.
- ** Make sure to leave a space to either side of tdl_fix.sh in the command.
- You should be notified of a hidden partition found and prompted to delete it.
- Type y then press Enter.
- The script will complete and prompt you to reboot the computer.
- Close the Terminal window and restart back into Windows.
- Post the contents of the tdl_delete.txt file that was created on your flash drive.
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
Then lets see a new aswMBR log please
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
