WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Infection: "system-check.com" [Solved]

Started by Dean N , Dec 27 2011 10:34 PM

Page 5 of 9
3
4
5
6
7

This topic is locked

133 replies to this topic

#61 Dean N

Authentic Member

Authentic Member
152 posts

Posted 03 January 2012 - 09:22 PM

ComboFix 12-01-03.04 - Dean Nicholson 01/03/2012 21:27:02.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2653 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\qekuaaa.tmp
c:\documents and settings\All Users\Application Data\rekuaaa.tmp
c:\documents and settings\All Users\Application Data\sekuaaa.tmp
c:\documents and settings\All Users\Application Data\tekuaaa.tmp
c:\documents and settings\All Users\Application Data\uekuaaa.tmp
c:\documents and settings\Dean Nicholson\Local Settings\Application Data\reu.exe
c:\windows\$NtUninstallKB60525$
c:\windows\$NtUninstallKB60525$\48380939
c:\windows\$NtUninstallKB60525$\838327706\@
c:\windows\$NtUninstallKB60525$\838327706\bckfg.tmp
c:\windows\$NtUninstallKB60525$\838327706\cfg.ini
c:\windows\$NtUninstallKB60525$\838327706\Desktop.ini
c:\windows\$NtUninstallKB60525$\838327706\keywords
c:\windows\$NtUninstallKB60525$\838327706\kwrd.dll
c:\windows\$NtUninstallKB60525$\838327706\L\eredouwe
c:\windows\$NtUninstallKB60525$\838327706\lsflt7.ver
c:\windows\$NtUninstallKB60525$\838327706\U\00000001.@
c:\windows\$NtUninstallKB60525$\838327706\U\00000002.@
c:\windows\$NtUninstallKB60525$\838327706\U\00000004.@
c:\windows\$NtUninstallKB60525$\838327706\U\80000000.@
c:\windows\$NtUninstallKB60525$\838327706\U\80000004.@
c:\windows\$NtUninstallKB60525$\838327706\U\80000032.@
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 02:16 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-01-04 02:16 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-02 22:55 . 2012-01-01 17:17 4702720 ----a-w- C:\aswMBR.exe
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-01 00:31 . 2012-01-01 00:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-01 00:29 . 2012-01-01 00:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-30 19:28 . 2011-12-30 19:28 -------- d-----w- c:\program files\ESET
2011-12-30 12:21 . 2012-01-01 06:39 -------- d-----w- c:\windows\system32\LogFiles
2011-12-30 01:16 . 2011-12-30 01:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Skype
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-12-18 21:32 . 2011-12-18 21:32 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Yahoo!
2011-12-18 21:29 . 2011-12-23 05:00 -------- d-----w- c:\program files\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-03 00:42 . 2010-08-30 18:15 1058816 ----a-w- c:\windows\explorer.exe
2011-12-28 00:19 . 2011-07-01 01:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-07-01 02:22 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2010-08-30 18:15 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2010-08-30 18:15 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-08-30 18:15 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-08-30 18:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-08-30 18:15 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2010-08-30 18:15 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-08-30 18:15 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2010-08-30 18:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-08-30 18:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:31 . 2011-07-02 02:13 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 12:31 . 2011-07-02 02:13 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-08-21 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-08-21 . 1300F6682BEA386767AE2A7C6C2DDCA7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2008-08-21 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-08-21 . ECD453C1AD7D2FF9448C24A65642FE17 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2012-01-03 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-08-21 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2012-01-03_18.03.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-04 03:03 . 2012-01-04 03:03 16384 c:\windows\temp\Perflib_Perfdata_ac0.dat
+ 2012-01-04 02:20 . 2012-01-04 02:20 16384 c:\windows\temp\Perflib_Perfdata_9ec.dat
+ 2012-01-04 01:38 . 2012-01-04 01:38 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{C5D40222-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:38 . 2012-01-04 01:38 95744 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{C5D40221-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:38 . 2012-01-04 01:38 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{C5D4021F-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:38 . 2012-01-04 01:38 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{C5D4021E-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:23 . 2012-01-04 01:23 17920 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BFE6AB0B-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:30 . 2012-01-04 01:30 47104 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B6602522-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:42 . 2012-01-04 01:43 10752 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6DDDDF5E-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-01 03:17 . 2012-01-04 01:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-01-01 03:17 . 2012-01-03 12:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-01-01 03:07 . 2012-01-03 13:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2012-01-01 03:07 . 2012-01-04 01:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2012-01-01 03:06 . 2012-01-04 01:36 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2012-01-01 03:06 . 2012-01-03 12:44 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2012-01-04 01:23 . 2012-01-04 01:45 65536 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-08-31 18:54 . 2012-01-03 16:11 8572 c:\windows\system32\d3d9caps.dat
+ 2010-08-31 18:54 . 2012-01-04 01:43 8572 c:\windows\system32\d3d9caps.dat
+ 2012-01-04 01:38 . 2012-01-04 01:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{C5D40220-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:38 . 2012-01-04 01:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{C5D4021D-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:38 . 2012-01-04 01:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{C5D4021C-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-03 12:18 . 2012-01-04 01:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{0472381B-3605-11E1-84C4-00197E0B8494}.dat
- 2012-01-03 12:18 . 2012-01-03 12:52 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{0472381B-3605-11E1-84C4-00197E0B8494}.dat
+ 2012-01-04 01:31 . 2012-01-04 01:31 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{DDCC674B-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:38 . 2012-01-04 01:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{DA3BC265-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:45 . 2012-01-04 01:45 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D6AB1D7F-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:23 . 2012-01-04 01:25 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B9E7409F-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:23 . 2012-01-04 01:23 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B6E9EDC5-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:30 . 2012-01-04 01:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B6602521-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:23 . 2012-01-04 01:23 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B3F62453-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:30 . 2012-01-04 01:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B35BAB39-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:23 . 2012-01-04 01:23 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B282357B-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:37 . 2012-01-04 01:37 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B1972C2D-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:30 . 2012-01-04 01:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B0657F6D-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:30 . 2012-01-04 01:30 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{AE9BBBED-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:44 . 2012-01-04 01:44 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{AE068747-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:36 . 2012-01-04 01:36 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{82773145-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:43 . 2012-01-04 01:43 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7EDAA09D-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:28 . 2012-01-04 01:28 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{767A3F0F-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:43 . 2012-01-04 01:43 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{71A377BF-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:35 . 2012-01-04 01:35 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{717A7005-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:42 . 2012-01-04 01:43 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{6DDDDF5D-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:25 . 2012-01-04 01:25 8704 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FD192722-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:31 . 2012-01-04 01:31 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DDCC674C-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:38 . 2012-01-04 01:38 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DA3BC266-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:45 . 2012-01-04 01:46 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D6AB1D80-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:30 . 2012-01-04 01:30 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B35BAB3A-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:23 . 2012-01-04 01:23 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B282357C-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:37 . 2012-01-04 01:37 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B1972C2E-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:30 . 2012-01-04 01:30 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B0657F6E-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:30 . 2012-01-04 01:30 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AE9BBBEE-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:44 . 2012-01-04 01:44 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AE068748-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:36 . 2012-01-04 01:36 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{82773146-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:43 . 2012-01-04 01:43 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7EDAA09E-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:43 . 2012-01-04 01:43 8192 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{71A377C0-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:35 . 2012-01-04 01:36 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{717A7006-3674-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:43 . 2012-01-04 01:43 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6DDDDF5F-3675-11E1-84CC-00197E0B8494}.dat
+ 2012-01-03 10:32 . 2012-01-04 01:45 196608 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012010320120104\index.dat
+ 2010-08-30 18:30 . 2012-01-04 01:45 507904 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-01-04 01:23 . 2012-01-04 01:30 227840 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B9E740A0-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:23 . 2012-01-04 01:29 170496 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B6E9EDC6-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:23 . 2012-01-04 01:30 100864 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B3F62454-3672-11E1-84CC-00197E0B8494}.dat
+ 2012-01-04 01:28 . 2012-01-04 01:31 172032 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{767A3F10-3673-11E1-84CC-00197E0B8494}.dat
+ 2012-01-01 03:06 . 2012-01-04 01:45 1163264 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2012-01-01 03:06 . 2012-01-04 01:45 6356992 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2011-07-03 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-05-12 517480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-22 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-04-22 181608]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"dplaysvr"="c:\documents and settings\Administrator\Application Data\dplaysvr.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dplaysvr"="c:\documents and settings\Administrator\Application Data\dplaysvr.exe" [BU]
.
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/31/2010 12:26 PM 24304]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/1/2010 11:16 AM 13480]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/31/2010 12:26 PM 132456]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [10/10/2011 7:32 AM 196912]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/31/2010 12:26 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/1/2010 11:16 AM 63928]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 2:54 PM 37312]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/1/2010 11:16 AM 45496]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 3:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 2:42 PM 73600]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004Core.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004UA.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-04 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-08-31 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 22:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1112)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\igfxext.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-01-03 22:18:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 03:18
ComboFix2.txt 2012-01-03 18:17
ComboFix3.txt 2012-01-02 23:16
.
Pre-Run: 81,550,639,104 bytes free
Post-Run: 81,562,763,264 bytes free
.
- - End Of File - - 3CFF5C9F396802ECE81E6E13CCFE396B

Advertisements

Register to Remove

#62 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 04 January 2012 - 03:16 AM

Copy all the Quoted text inside the Quote box and paste it into Notepad, save it as expand.bat , on the drop down list change it to All Files, save it to your desktop, then click on expand.bat to execute it. Then reboot

expand C:\WINDOWS\I386\winlogon.ex_ c:\windows\system32\system32\dllcache\winlogon.exe
expand C:\WINDOWS\I386\svchost.ex_ c:\windows\system32\system32\dllcache\svchost.exe
expand C:\WINDOWS\I386\explorer.ex_ c:\windows\system32\dllcache\explorer.exe

Then run Combofix again and lets see if it picks these up and replaces the infected copies

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#63 Dean N

Authentic Member

Authentic Member
152 posts

Posted 04 January 2012 - 08:16 AM

Well, now there's another major malfunction... the computer won't boot up in normal mode, safe mode, safe mode with networking, with command prompt, or last known good configuration. I get a blue screen that says "unmountable boot volume" ... uh oh... Oh, one other thing - you asked about having a disk with Windows XP on it. I got this laptop thru the IBM last year (used/certified) and it came with XP installed. So, no disk.

EDIT: I had the error message wrong. it's "unmountable", not "insurmountable". Oops again!

Edited by Dean N, 04 January 2012 - 11:03 AM.

#64 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 04 January 2012 - 11:15 AM

Whoaa, thats bad. You most likely need the CD to do a System Repair. As heavily as this system was and still is infected, even completely clean it would leave this system Compromised, what that means is that it can never be trusted to do secure transactions like Banking or purchasing from sites with a Credit Card. The options you have are to try and borrow a Windows Professional CD and do a System Repair, what this does is copies windows on top of the current installation and most times repairs things in the process. I think what I would do is look on eBay and buy a Windows XP Professional disk, with Vista and Win 7 out now you should be able pick one up fairly cheap, then you would be guaranteed to have a nice clean and working computer. I dont know all the specs on your system so dont know if its a candidate for Vista or Win 7 In the meantime I am going to ask one of our techs if there is a way around this without the disk.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#65 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 04 January 2012 - 11:20 AM

Dean, When you ran Combofix, it installed a Recovery Console, can you boot to it ?

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#66 Dean N

Authentic Member

Authentic Member
152 posts

Posted 04 January 2012 - 11:22 AM

I'll try right now. I believe it's an option I haven't tried yet...

#67 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 04 January 2012 - 11:23 AM

If you can , then try these

Run these commands
chkdsk c: /r /p
fixmbr
exit (to reboot)

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#68 Dean N

Authentic Member

Authentic Member
152 posts

Posted 04 January 2012 - 11:41 AM

I still have the "Starting Windows Recovery Console" screen up. Looks like it's not progressing. Can you advise on how long I should expect this to take?

#69 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 04 January 2012 - 11:53 AM

It should come right up, power off and try it again

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#70 Dean N

Authentic Member

Authentic Member
152 posts

Posted 04 January 2012 - 11:59 AM

I rebooted, it's been going for a few minutes, no progress...

Advertisements

Register to Remove

#71 Dean N

Authentic Member

Authentic Member
152 posts

Posted 04 January 2012 - 02:04 PM

Well I got the machine to start again, in normal mode, miraculously. I tried to connect it the internet via cable, and it responded by saying "little or no connectivity" and I wasn't able to get online with it. (I don't have wireless set up at my office... don't ask....) So I used a second machine to create expand.bat, moved it to the sick machine's desktop via thumb drive, and ran it. The window it's running in (C:\WINDOWS\system32\cmd.exe) seems to be an endless loop of text running top to bottom. I'm not touching anything till I hear from you!

#72 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 04 January 2012 - 03:08 PM

Did running the script from the Recovery Console get you up and running ? Go to Task Manager (Ctrl. Alt. Del ) and under Applications just end CMD , Then see if Combofix will run

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#73 Dean N

Authentic Member

Authentic Member
152 posts

Posted 04 January 2012 - 03:10 PM

No... recovery console never progressed beyone the inital screen. Combofix is working. Shall I post the log when done?

#74 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 04 January 2012 - 03:14 PM

Yes please

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#75 Dean N

Authentic Member

Authentic Member
152 posts

Posted 04 January 2012 - 04:43 PM

Combofix:

ComboFix 12-01-02.02 - Dean Nicholson 01/04/2012 16:19:04.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2498 [GMT -5:00]
Running from: c:\documents and settings\Dean Nicholson\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\hriuaaa.tmp
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 02:16 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-01-04 02:16 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-02 22:55 . 2012-01-01 17:17 4702720 ----a-w- C:\aswMBR.exe
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-01 00:31 . 2012-01-01 00:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-01 00:29 . 2012-01-01 00:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-30 19:28 . 2011-12-30 19:28 -------- d-----w- c:\program files\ESET
2011-12-30 12:21 . 2012-01-01 06:39 -------- d-----w- c:\windows\system32\LogFiles
2011-12-30 01:16 . 2011-12-30 01:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Skype
2011-12-21 00:36 . 2011-12-29 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-12-18 21:32 . 2011-12-18 21:32 -------- d-----w- c:\documents and settings\Dean Nicholson\Application Data\Yahoo!
2011-12-18 21:29 . 2011-12-23 05:00 -------- d-----w- c:\program files\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-03 00:42 . 2010-08-30 18:15 1058816 ----a-w- c:\windows\explorer.exe
2011-12-28 00:19 . 2011-07-01 01:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-07-01 02:22 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2010-08-30 18:15 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2010-08-30 18:15 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-08-30 18:15 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-08-30 18:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-08-30 18:15 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2010-08-30 18:15 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-08-30 18:15 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2010-08-30 18:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-08-30 18:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:31 . 2011-07-02 02:13 17712 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 12:31 . 2011-07-02 02:13 26416 ----a-w- c:\windows\system32\nitrolocalmon2.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-08-21 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-08-21 . 1300F6682BEA386767AE2A7C6C2DDCA7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2008-08-21 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-08-21 . ECD453C1AD7D2FF9448C24A65642FE17 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2012-01-03 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-08-21 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2012-01-04_03.04.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-04 19:43 . 2012-01-04 19:43 16384 c:\windows\temp\Perflib_Perfdata_c0c.dat
+ 2012-01-04 21:52 . 2012-01-04 21:52 16384 c:\windows\temp\Perflib_Perfdata_860.dat
+ 2012-01-01 03:06 . 2012-01-04 13:17 6356992 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-01 03:06 . 2012-01-04 01:45 6356992 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\preload.exe" [2011-07-03 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-05-12 517480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-22 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-04-22 181608]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"dplaysvr"="c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dplaysvr"="c:\documents and settings\Dean Nicholson\Application Data\dplaysvr.exe" [BU]
.
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/31/2010 12:26 PM 24304]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/1/2010 11:16 AM 13480]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/31/2010 12:26 PM 132456]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [10/10/2011 7:32 AM 196912]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/31/2010 12:26 PM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/1/2010 11:16 AM 63928]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 2:54 PM 37312]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/1/2010 11:16 AM 45496]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 3:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 2:42 PM 73600]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004Core.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004UA.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-04 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-08-31 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-04 16:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1116)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(368)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\igfxext.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090605-2002\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-04 17:08:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 22:08
ComboFix2.txt 2012-01-04 03:19
ComboFix3.txt 2012-01-03 18:17
ComboFix4.txt 2012-01-02 23:16
.
Pre-Run: 81,653,841,920 bytes free
Post-Run: 81,644,658,688 bytes free
.
- - End Of File - - 09D5D261D92EDFA55F3231AFE3488A19

Body Background

skin color theme